video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000 (16:28 +0530)]
Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index 887acdb..ddf802b 100644 (file)
@@ -385,9 +385,9 @@ int nvmap_ioctl_get_param(struct file *filp, void __user *arg, bool is32)
        struct nvmap_handle_param __user *uarg = arg;
        struct nvmap_handle_param op;
        struct nvmap_client *client = filp->private_data;
-       struct nvmap_handle_ref *ref;
-       struct nvmap_handle *h;
-       u64 result;
+       struct nvmap_handle_ref *ref = NULL;
+       struct nvmap_handle *h = NULL;
+       u64 result = 0;
        int err = 0;
 
 #ifdef CONFIG_COMPAT
@@ -413,6 +413,9 @@ int nvmap_ioctl_get_param(struct file *filp, void __user *arg, bool is32)
        }
 
        err = nvmap_get_handle_param(client, ref, op.param, &result);
+       if (err) {
+               goto ref_fail;
+       }
 
 #ifdef CONFIG_COMPAT
        if (is32)