Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 79492490 authored by Jordan Crouse's avatar Jordan Crouse
Browse files

drm/msm: Fix possible overflow issue in submit_cmd 



When verifying that the submit_cmd offset and size do not exceed the
bounds of the GEM object make sure to cast the math operation
into a suitably large buffer to account for overflow.

Change-Id: Ic0dedbad97513ee538d539e771038b3cf0405e91
Signed-off-by: default avatarJordan Crouse <jcrouse@codeaurora.org>
parent c1a24720

drivers/gpu/drm/msm/msm_gem_submit.c

+7 −4
Original line number Diff line number Diff line
@@ -434,6 +434,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 
			to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));

		struct msm_gem_object *msm_obj;

		uint64_t iova;

		size_t size;



		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));

		if (ret) {
@@ -466,10 +467,12 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 
			goto out;

		}



		if (!(submit_cmd.size) ||

			((submit_cmd.size + submit_cmd.submit_offset) >

				msm_obj->base.size)) {

			DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size);

		size = submit_cmd.size + submit_cmd.submit_offset;



		if (!submit_cmd.size || (size < submit_cmd.size) ||

			(size > msm_obj->base.size)) {

			DRM_ERROR("invalid cmdstream offset/size: %u/%u\n",

				submit_cmd.submit_offset, submit_cmd.size);

			ret = -EINVAL;

			goto out;

		}