video: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000 (11:08 +0530)]
Check all pages' parameters before reserve pages.

Bug 1831426
Bug 200247013
Bug 1849492
CVE-2016-8428 (A-31993456)

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Reviewed-on: http://git-master/r/1273326
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285872
(cherry picked from commit 0a44c684a3bdad4d25d0c5a89e04170196e12ff6)
Reviewed-on: http://git-master/r/1299504
(cherry picked from commit e124868998c604716d0ece1a0cb7e187db4adb18)
Reviewed-on: http://git-master/r/1311421
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

drivers/video/tegra/nvmap/nvmap_mm.c

index 101d1f2..6dcf91a 100644 (file)
@@ -3,7 +3,7 @@
  *
  * Some MM related functionality specific to nvmap.
  *
- * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2013-2017, NVIDIA CORPORATION. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -293,6 +293,15 @@ int nvmap_reserve_pages(struct nvmap_handle **handles, u32 *offsets, u32 *sizes,
 {
        int i, err;
 
+       /* validates all page params first */
+       for (i = 0; i < nr; i++) {
+               u32 size = sizes[i] ? sizes[i] : handles[i]->size;
+               u32 offset = sizes[i] ? offsets[i] : 0;
+
+               if ((offset != 0) || (size != handles[i]->size))
+                       return -EINVAL;
+       }
+
        for (i = 0; i < nr; i++) {
                u32 size = sizes[i] ? sizes[i] : handles[i]->size;
                u32 offset = sizes[i] ? offsets[i] : 0;