media: tegra: nvavp: Fix reloc offset check
Somu Sundaram [Fri, 18 Mar 2016 07:22:59 +0000 (12:22 +0530)]
- Check whether command buffer data offset is 32-bit
  aligned
- Check whether relocation offset is 32-bit aligned
  and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
  and derived address is within target buffer size

Bug 1741516

Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1113949
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

drivers/media/platform/tegra/nvavp/nvavp_dev.c

index f24b690..4ca6d30 100644 (file)
@@ -1543,7 +1543,8 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                return PTR_ERR(cmdbuf_dmabuf);
        }
 
-       if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) {
+       if ((hdr.cmdbuf.offset & 3)
+               || (hdr.cmdbuf.offset >= cmdbuf_dmabuf->size)) {
                dev_err(&nvavp->nvhost_dev->dev,
                        "invalid cmdbuf offset %d\n", hdr.cmdbuf.offset);
                ret = -EINVAL;
@@ -1587,7 +1588,11 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                        goto err_reloc_info;
                }
 
-               if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) {
+               if ((clientctx->relocs[i].cmdbuf_offset & 3)
+                       || (clientctx->relocs[i].cmdbuf_offset >=
+                               cmdbuf_dmabuf->size)
+                       || (clientctx->relocs[i].cmdbuf_offset >=
+                               (cmdbuf_dmabuf->size - hdr.cmdbuf.offset))) {
                        dev_err(&nvavp->nvhost_dev->dev,
                                "invalid reloc offset in cmdbuf %d\n",
                                clientctx->relocs[i].cmdbuf_offset);
@@ -1604,7 +1609,9 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                        goto target_dmabuf_fail;
                }
 
-               if (clientctx->relocs[i].target_offset > target_dmabuf->size) {
+               if ((clientctx->relocs[i].target_offset & 3)
+                       || (clientctx->relocs[i].target_offset >=
+                               target_dmabuf->size)) {
                        dev_err(&nvavp->nvhost_dev->dev,
                                "invalid target offset in reloc %d\n",
                                clientctx->relocs[i].target_offset);