Google Git
Sign in
android / kernel / tegra / 1ff2efce08789430bade840962543406922e1347^! / .
commit1ff2efce08789430bade840962543406922e1347[log] [tgz]
authorSomasundaram S <somasundaram@nvidia.com>Thu Mar 10 17:33:11 2016 +0530
committerAndres Morales <anmorales@google.com>Tue Mar 22 13:29:42 2016 -0700
tree785035934ca53d009e9f2721ca67ece2e363fc12
parente44345a2389cea62ce71b178cd99eade74558bac [diff]
media: tegra: nvavp: Fix heap overflow

Bug:27253079

Increase NVAVP_MAX_RELOCATION_COUNT to max. possible value
and add check to return error if num_relocs in
nvavp_pushbuffer_submit_ioctl exceeds
NVAVP_MAX_RELOCATION_COUNT

Change-Id: Ief36cedd692aa53135fc6a0039b19f18609259dd
Signed-off-by: Somasundaram S <somasundaram@nvidia.com>
(cherry picked from commit b1a604ef7860d6ad87a464eb57024aaf667a7e88)
Signed-off-by: Xia Yang <xiay@nvidia.com>

diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
index dd84bde..e509998 100644
--- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c
+++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c

@@ -1,7 +1,7 @@
 /*
  * drivers/media/video/tegra/nvavp/nvavp_dev.c
  *
- * Copyright (c) 2011-2015, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2011-2016, NVIDIA CORPORATION.  All rights reserved.
  *
  * This file is licensed under the terms of the GNU General Public License
  * version 2. This program is licensed "as is" without any warranty of any
@@ -1688,6 +1688,12 @@
 	if (!hdr.cmdbuf.mem)
 		return 0;
 
+	if (hdr.num_relocs > NVAVP_MAX_RELOCATION_COUNT) {
+		dev_err(&nvavp->nvhost_dev->dev,
+			"invalid num_relocs %d\n", hdr.num_relocs);
+		return -EINVAL;
+	}
+
 	if (copy_from_user(clientctx->relocs, (void __user *)hdr.relocs,
 			sizeof(struct nvavp_reloc) * hdr.num_relocs)) {
 		return -EFAULT;

diff --git a/include/linux/tegra_nvavp.h b/include/linux/tegra_nvavp.h
index c74b645..1369603 100644
--- a/include/linux/tegra_nvavp.h
+++ b/include/linux/tegra_nvavp.h

@@ -1,7 +1,7 @@
 /*
  * include/linux/tegra_nvavp.h
  *
- * Copyright (c) 2012-2015, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2012-2016, NVIDIA CORPORATION.  All rights reserved.
  *
  * This file is licensed under the terms of the GNU General Public License
  * version 2. This program is licensed "as is" without any warranty of any
@@ -14,7 +14,7 @@
 #include <linux/ioctl.h>
 #include <linux/types.h>
 
-#define NVAVP_MAX_RELOCATION_COUNT 64
+#define NVAVP_MAX_RELOCATION_COUNT 65
 
 /* avp submit flags */
 #define NVAVP_FLAG_NONE		0x00000000