video: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000 (10:14 +0530)]
When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

bug 1832092

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index 98b9c78..a52dbab 100644 (file)
@@ -88,6 +88,7 @@ int nvmap_ioctl_pinop(struct file *filp, bool is_pin, void __user *arg,
                        return -EFAULT;
                op.handles = (__u32 *)(uintptr_t)op32.handles;
                op.count = op32.count;
+               op.addr = (unsigned long *)(uintptr_t)op32.addr;
        } else
 #endif
                if (copy_from_user(&op, arg, sizeof(op)))