Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 62e76400 authored by Shalini Krishnamoorthi's avatar Shalini Krishnamoorthi Committed by Gerrit - the friendly Code Review server
Browse files

msm: mdss: Fix to validate data copied from user space 



The overlay zorder values copied from user space are used
as index in left_lm_zo_cnt and right_lm_zo_cnt. This fix
will validate the overlay zorder value copied from user
space to not go beyond MDSS_MDP_MAX_STAGE, thus preventing
any arbitrary increments in kernel memory.

CRs-Fixed: 1049232
Change-Id: Ie8e65ce9f58cb357204bfa4c6a6e0fccec82d5ba
Signed-off-by: default avatarShalini Krishnamoorthi <shakri@codeaurora.org>
parent e97b6a0e

drivers/video/fbdev/msm/mdss_mdp_overlay.c

+6 −2
Original line number Diff line number Diff line
@@ -4427,16 +4427,20 @@ static int __mdss_overlay_src_split_sort(struct msm_fb_data_type *mfd, 
		__overlay_swap_func);



	for (i = 0; i < num_ovs; i++) {

		if (ovs[i].z_order >= MDSS_MDP_MAX_STAGE) {

			pr_err("invalid stage:%u\n", ovs[i].z_order);

			return -EINVAL;

		}

		if (ovs[i].dst_rect.x < left_lm_w) {

			if (left_lm_zo_cnt[ovs[i].z_order] == 2) {

				pr_err("more than 2 ov @ stage%d on left lm\n",

				pr_err("more than 2 ov @ stage%u on left lm\n",

					ovs[i].z_order);

				return -EINVAL;

			}

			left_lm_zo_cnt[ovs[i].z_order]++;

		} else {

			if (right_lm_zo_cnt[ovs[i].z_order] == 2) {

				pr_err("more than 2 ov @ stage%d on right lm\n",

				pr_err("more than 2 ov @ stage%u on right lm\n",

					ovs[i].z_order);

				return -EINVAL;

			}