Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7017a09c authored by Shashank Babu Chinta Venkata's avatar Shashank Babu Chinta Venkata Committed by Alistair Delva
Browse files

ANDROID: drivers: gpu: drm: fix bugs encountered while fuzzing 



DRM framework does not have upper bound on number of open
file descriptors, this resulted in exhaustion
of file descriptors while fuzzing. Also, adding a
upper bound on memory allocation for
drm_propert_blob structure.

Signed-off-by: default avatarShashank Babu Chinta Venkata <sbchin@codeaurora.org>
Bug: 139653858
Change-Id: I42bd3696371db6ae37789e3f7f43db045e166898
parent 67eaae5d

drivers/gpu/drm/drm_file.c

+7 −0
Original line number Diff line number Diff line
@@ -46,6 +46,8 @@ 
/* from BKL pushdown */

DEFINE_MUTEX(drm_global_mutex);



#define MAX_DRM_OPEN_COUNT		128



/**

 * DOC: file operations

 *
@@ -322,6 +324,11 @@ int drm_open(struct inode *inode, struct file *filp) 
	if (!dev->open_count++)

		need_setup = 1;



	if (dev->open_count >= MAX_DRM_OPEN_COUNT) {

		retcode = -EPERM;

		goto err_undo;

	}



	/* share address_space across all char-devs of a single device */

	filp->f_mapping = dev->anon_inode->i_mapping;

drivers/gpu/drm/drm_property.c

+15 −2
Original line number Diff line number Diff line
@@ -26,6 +26,9 @@ 


#include "drm_crtc_internal.h"



#define MAX_BLOB_PROP_SIZE	(PAGE_SIZE * 30)

#define MAX_BLOB_PROP_COUNT	250



/**

 * DOC: overview

 *
@@ -556,7 +559,8 @@ drm_property_create_blob(struct drm_device *dev, size_t length, 
	struct drm_property_blob *blob;

	int ret;



	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))

	if (!length || length > MAX_BLOB_PROP_SIZE -

				sizeof(struct drm_property_blob))

		return ERR_PTR(-EINVAL);



	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
@@ -782,12 +786,21 @@ int drm_mode_createblob_ioctl(struct drm_device *dev, 
			      void *data, struct drm_file *file_priv)

{

	struct drm_mode_create_blob *out_resp = data;

	struct drm_property_blob *blob;

	struct drm_property_blob *blob, *bt;

	int ret = 0;

	u32 count = 0;



	if (!drm_core_check_feature(dev, DRIVER_MODESET))

		return -EINVAL;



	mutex_lock(&dev->mode_config.blob_lock);

	list_for_each_entry(bt, &file_priv->blobs, head_file)

		count++;

	mutex_unlock(&dev->mode_config.blob_lock);



	if (count >= MAX_BLOB_PROP_COUNT)

		return -EOPNOTSUPP;



	blob = drm_property_create_blob(dev, out_resp->length, NULL);

	if (IS_ERR(blob))

		return PTR_ERR(blob);