Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fded6a74 authored by Jordan Crouse's avatar Jordan Crouse
Browse files

msm: kgsl: Verify the user address before reading a perfcounter group 



In adreno_perfcounter_read_group some user input verification is
occuring on a user pointer before copy_from_user is called
resulting in a possible segmentation fault if called with improper
input data.

CRs-fixed: 553314
Change-Id: Ic0dedbad4c5e4b2610368d51ff591d1f716712f4
Signed-off-by: default avatarJordan Crouse <jcrouse@codeaurora.org>
parent 32bb8330

drivers/gpu/msm/adreno.c

+8 −7
Original line number Diff line number Diff line
@@ -328,7 +328,7 @@ done: 
 */



int adreno_perfcounter_read_group(struct adreno_device *adreno_dev,

	struct kgsl_perfcounter_read_group *reads, unsigned int count)

	struct kgsl_perfcounter_read_group __user *reads, unsigned int count)

{

	struct adreno_perfcounters *counters = adreno_dev->gpudev->perfcounters;

	struct adreno_perfcount_group *group;
@@ -347,12 +347,6 @@ int adreno_perfcounter_read_group(struct adreno_device *adreno_dev, 
	if (reads == NULL || count == 0 || count > 100)

		return -EINVAL;



	/* verify valid inputs group ids and countables */

	for (i = 0; i < count; i++) {

		if (reads[i].groupid >= counters->group_count)

			return -EINVAL;

	}



	list = kmalloc(sizeof(struct kgsl_perfcounter_read_group) * count,

			GFP_KERNEL);

	if (!list)
@@ -366,8 +360,15 @@ int adreno_perfcounter_read_group(struct adreno_device *adreno_dev, 


	/* list iterator */

	for (j = 0; j < count; j++) {



		list[j].value = 0;



		/* Verify that the group ID is within range */

		if (list[j].groupid >= counters->group_count) {

			ret = -EINVAL;

			goto done;

		}



		group = &(counters->groups[list[j].groupid]);



		/* group/counter iterator */