Google Git
Sign in
android / kernel / msm / 4436de7a92d037599e0d217f16f9c391b6ad866a
commit4436de7a92d037599e0d217f16f9c391b6ad866a[log] [tgz]
authorGreg Hackmann <ghackmann@google.com>Wed Apr 20 16:33:18 2016 -0700
committerZhao Xuewen <zhaoxuewen@huawei.com>Thu Jul 07 20:49:10 2016 +0800
tree8a62bd5975b469f10d3c5bf262cbd8244e80a583
parent39f2c179e7b0be85d87303e07f794586a5976f84 [diff]
video: adf: zero out mapping data on adf_buffer_map() failure

If the following call chain fails

adf_device_post_nocopy() ->
  adf_buffer_map() ->
    dma_buf_attach(); dma_buf_map_attachment()

then the attachment returned by dma_buf_attach() will get cleaned up
twice: first during the error-handling path inside adf_buffer_map(), and
again during the error-handling path inside adf_device_post_nocopy().

Fix this by zeroing out the mapping data inside adf_buffer_map()'s
error-handling path.  When adf_device_post_nocopy() hands it back to
adf_buffer_mapping_cleanup(), it will deliberately skip over zeroed-out
data.

(The second adf_buffer_mapping_cleanup() call inside
adf_device_post_nocopy() is not a bug; it's intended to clean up after
any *other* buffers we handled as part of this request.)

CVE:CVE-2016-3811

Bug: 28025945
Bug: 28279077

Change-Id: I824d980b208da3a15d35f74970755c8f18500263
Signed-off-by: Greg Hackmann <ghackmann@google.com>
1 file changed
tree: 8a62bd5975b469f10d3c5bf262cbd8244e80a583
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. AndroidKernel.mk
  26. build.config
  27. COPYING
  28. CREDITS
  29. Kbuild
  30. Kconfig
  31. MAINTAINERS
  32. Makefile
  33. README
  34. REPORTING-BUGS