video: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000 (11:08 +0530)]
Check all pages' parameters before reserve pages.

Bug 1883463
Bug 1831426
Bug 200247013

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/video/tegra/nvmap/nvmap_mm.c

index 30994e6..fbf5100 100644 (file)
@@ -235,6 +235,15 @@ int nvmap_reserve_pages(struct nvmap_handle **handles, u32 *offsets, u32 *sizes,
 {
        int i;
 
+       /* validates all page params first */
+       for (i = 0; i < nr; i++) {
+               u32 size = sizes[i] ? sizes[i] : handles[i]->size;
+               u32 offset = sizes[i] ? offsets[i] : 0;
+
+               if ((offset != 0) || (size != handles[i]->size))
+                       return -EINVAL;
+       }
+
        for (i = 0; i < nr; i++) {
                u32 size = sizes[i] ? sizes[i] : handles[i]->size;
                u32 offset = sizes[i] ? offsets[i] : 0;