Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8fa76855 authored by Archana Sriram's avatar Archana Sriram Committed by Gerrit - the friendly Code Review server
Browse files

msm: kgsl: Fix calculation of size in _load_regfile 



During firmware load, there could be data over reads
due to calculation of lm_size and lm_sequence from
block and block_size. Added bounds checking to prevent
this and improved the size calculation.

CRs-Fixed: 2107981
Change-Id: Ib4283951b0d6c8fb699af1f85e657981ad4c0318
Signed-off-by: default avatarArchana Sriram <apsrir@codeaurora.org>
parent 1d4c367d

drivers/gpu/msm/adreno_a5xx.c

+8 −4
Original line number Diff line number Diff line
@@ -1195,8 +1195,8 @@ static void _load_regfile(struct adreno_device *adreno_dev) 
{

	struct kgsl_device *device = KGSL_DEVICE(adreno_dev);

	const struct firmware *fw;

	uint32_t block_size = 0, block_total = 0, fw_size;

	uint32_t *block;

	uint64_t block_size = 0, block_total = 0;

	uint32_t fw_size, *block;

	int ret = -EINVAL;



	if (!adreno_dev->gpucore->regfw_name)
@@ -1218,7 +1218,8 @@ static void _load_regfile(struct adreno_device *adreno_dev) 
	/* All offset numbers calculated from file description */

	while (block_total < fw_size) {

		block_size = block[0];

		if (block_size >= fw_size || block_size < 2)

		if (((block_total + block_size) >= fw_size)

				|| block_size < 5)

			goto err;

		if (block[1] != GPMU_SEQUENCE_ID)

			goto err;
@@ -1233,6 +1234,9 @@ static void _load_regfile(struct adreno_device *adreno_dev) 
				goto err;



			adreno_dev->lm_fw = fw;



			if (block[2] > (block_size - 2))

				goto err;

			adreno_dev->lm_sequence = block + block[2] + 3;

			adreno_dev->lm_size = block_size - block[2] - 2;

		}
@@ -1245,7 +1249,7 @@ static void _load_regfile(struct adreno_device *adreno_dev) 
err:

	release_firmware(fw);

	KGSL_PWR_ERR(device,

		"Register file failed to load sz=%d bsz=%d header=%d\n",

		"Register file failed to load sz=%d bsz=%llu header=%d\n",

		fw_size, block_size, ret);

	return;

}