video: adf: zero out mapping data on adf_buffer_map() failure
If the following call chain fails
adf_device_post_nocopy() ->
adf_buffer_map() ->
dma_buf_attach(); dma_buf_map_attachment()
then the attachment returned by dma_buf_attach() will get cleaned up
twice: first during the error-handling path inside adf_buffer_map(), and
again during the error-handling path inside adf_device_post_nocopy().
Fix this by zeroing out the mapping data inside adf_buffer_map()'s
error-handling path. When adf_device_post_nocopy() hands it back to
adf_buffer_mapping_cleanup(), it will deliberately skip over zeroed-out
data.
(The second adf_buffer_mapping_cleanup() call inside
adf_device_post_nocopy() is not a bug; it's intended to clean up after
any *other* buffers we handled as part of this request.)
CVE:CVE-2016-3811
Bug: 28025945
Bug: 28279077
Change-Id: I824d980b208da3a15d35f74970755c8f18500263
Signed-off-by: Greg Hackmann <ghackmann@google.com>
1 file changed