Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad79c4ca authored by Jordan Crouse's avatar Jordan Crouse Committed by Gerrit - the friendly Code Review server
Browse files

drm/msm: Fix possible overflow issue in submit_cmd 



When verifying that the submit_cmd offset and size do not exceed the
bounds of the GEM object make sure to cast the math operation
into a suitably large buffer to account for overflow.

Change-Id: Ic0dedbad97513ee538d539e771038b3cf0405e91
Signed-off-by: default avatarJordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: default avatarSharat Masetty <smasetty@codeaurora.org>
Signed-off-by: default avatarVenkateswara Rao Tadikonda <vtadik@codeaurora.org>
parent 776b2e1b

drivers/gpu/drm/msm/msm_gem_submit.c

+8 −7
Original line number Diff line number Diff line
@@ -385,7 +385,8 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 
		void __user *userptr =

			to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));

		struct msm_gem_object *msm_obj;

		uint32_t iova;

		uint64_t iova;

		size_t size;



		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));

		if (ret) {
@@ -417,12 +418,12 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 
			goto out;

		}



		if ((submit_cmd.size + submit_cmd.submit_offset) >

				msm_obj->base.size) {

			DRM_ERROR(

			"invalid cmdstream size:%u, offset:%u, base_size:%zu\n",

				submit_cmd.size, submit_cmd.submit_offset,

				msm_obj->base.size);

		size = submit_cmd.size + submit_cmd.submit_offset;



		if (!submit_cmd.size || (size < submit_cmd.size) ||

			(size > msm_obj->base.size)) {

			DRM_ERROR("invalid cmdstream offset/size: %u/%u\n",

				submit_cmd.submit_offset, submit_cmd.size);

			ret = -EINVAL;

			goto out;

		}