Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5bb9c179 authored by Terence Hampson's avatar Terence Hampson
Browse files

mdss: prevent dereferencing of user space pointer 



We were dereferencing a userspace pointer in kernel.

Change-Id: I128455904cd396690350fc6b784a8844d594539c
Signed-off-by: default avatarTerence Hampson <thampson@codeaurora.org>
parent 500bff85

drivers/video/msm/mdss/mdp3_ctrl.c

+7 −2
Original line number Diff line number Diff line
@@ -1657,6 +1657,7 @@ static int mdp3_overlay_prepare(struct msm_fb_data_type *mfd, 
{

	struct mdp_overlay_list ovlist;

	struct mdp3_session_data *mdp3_session = mfd->mdp.private1;

	struct mdp_overlay *req_list;

	struct mdp_overlay *req;

	int rc;
@@ -1673,12 +1674,16 @@ static int mdp3_overlay_prepare(struct msm_fb_data_type *mfd, 
		return -EINVAL;

	}



	if (copy_from_user(req, ovlist.overlay_list[0], sizeof(*req)))

	if (copy_from_user(&req_list, ovlist.overlay_list,

				sizeof(struct mdp_overlay *)))

		return -EFAULT;



	if (copy_from_user(req, req_list, sizeof(*req)))

		return -EFAULT;



	rc = mdp3_overlay_set(mfd, req);

	if (!IS_ERR_VALUE(rc)) {

		if (copy_to_user(ovlist.overlay_list[0], req, sizeof(*req)))

		if (copy_to_user(req_list, req, sizeof(*req)))

			return -EFAULT;

	}

drivers/video/msm/mdss/mdss_mdp_overlay.c

+16 −2
Original line number Diff line number Diff line
@@ -48,6 +48,7 @@ 
#define MEM_PROTECT_SD_CTRL 0xF



#define INVALID_PIPE_INDEX 0xFFFF

#define OVERLAY_MAX 10



struct sd_ctrl_req {

	unsigned int enable;
@@ -2438,20 +2439,33 @@ static int __handle_ioctl_overlay_prepare(struct msm_fb_data_type *mfd, 
		void __user *argp)

{

	struct mdp_overlay_list ovlist;

	struct mdp_overlay *req_list[OVERLAY_MAX];

	struct mdp_overlay *overlays;

	int i, ret;



	if (copy_from_user(&ovlist, argp, sizeof(ovlist)))

		return -EFAULT;



	if (ovlist.num_overlays >= OVERLAY_MAX) {

		pr_err("Number of overlays exceeds max\n");

		return -EINVAL;

	}



	overlays = kmalloc(ovlist.num_overlays * sizeof(*overlays), GFP_KERNEL);

	if (!overlays) {

		pr_err("Unable to allocate memory for overlays\n");

		return -ENOMEM;

	}



	if (copy_from_user(req_list, ovlist.overlay_list,

				sizeof(struct mdp_overlay *) *

				ovlist.num_overlays)) {

		ret = -EFAULT;

		goto validate_exit;

	}



	for (i = 0; i < ovlist.num_overlays; i++) {

		if (copy_from_user(overlays + i, ovlist.overlay_list[i],

		if (copy_from_user(overlays + i, req_list[i],

				sizeof(struct mdp_overlay))) {

			ret = -EFAULT;

			goto validate_exit;
@@ -2461,7 +2475,7 @@ static int __handle_ioctl_overlay_prepare(struct msm_fb_data_type *mfd, 
	ret = __handle_overlay_prepare(mfd, &ovlist, overlays);

	if (!IS_ERR_VALUE(ret)) {

		for (i = 0; i < ovlist.num_overlays; i++) {

			if (copy_to_user(ovlist.overlay_list[i], overlays + i,

			if (copy_to_user(req_list[i], overlays + i,

					sizeof(struct mdp_overlay))) {

				ret = -EFAULT;

				goto validate_exit;