video: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000 (10:14 +0530)]
When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

Bug 1832092
Bug 1887273

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1315807
(cherry picked from commit d25ef256594f41723eaae3ba0bb9cb4e9c4a3b4c)
Reviewed-on: http://git-master/r/1458149
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index f481a5a..a7e833d 100644 (file)
@@ -90,6 +90,7 @@ int nvmap_ioctl_pinop(struct file *filp, bool is_pin, void __user *arg,
                        return -EFAULT;
                op.handles = (__u32 *)(uintptr_t)op32.handles;
                op.count = op32.count;
+               op.addr = (unsigned long *)(uintptr_t)op32.addr;
        } else
 #endif
                if (copy_from_user(&op, arg, sizeof(op)))