media: tegra: nvavp: Fix arbitrary kernel write
Add checks for command buffer offset, relocation
offset in command buffer and target offset for patching
relocation to prevent aritrary kernel write
Bug:27441354
Change-Id: Ia6183ca75f983c0ede23606be9e5d824aa5fa41d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
(cherry picked from commit 4e3a7eb61b913e15bb91307de4bad1e84ed6551c)
Signed-off-by: Xia Yang <xiay@nvidia.com>
(cherry picked from commit b9989ffe48c99a8390517a3806676374fd7829a3)
diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
index e509998..c16d8aa 100644
--- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c
+++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
@@ -1706,6 +1706,13 @@
return PTR_ERR(cmdbuf_dmabuf);
}
+ if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) {
+ dev_err(&nvavp->nvhost_dev->dev,
+ "invalid cmdbuf offset %d\n", hdr.cmdbuf.offset);
+ ret = -EINVAL;
+ goto err_dmabuf_attach;
+ }
+
cmdbuf_attach = dma_buf_attach(cmdbuf_dmabuf, &nvavp->nvhost_dev->dev);
if (IS_ERR(cmdbuf_attach)) {
dev_err(&nvavp->nvhost_dev->dev, "cannot attach cmdbuf_dmabuf\n");
@@ -1743,6 +1750,14 @@
goto err_reloc_info;
}
+ if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) {
+ dev_err(&nvavp->nvhost_dev->dev,
+ "invalid reloc offset in cmdbuf %d\n",
+ clientctx->relocs[i].cmdbuf_offset);
+ ret = -EINVAL;
+ goto err_reloc_info;
+ }
+
reloc_addr = cmdbuf_data +
(clientctx->relocs[i].cmdbuf_offset >> 2);
@@ -1751,6 +1766,15 @@
ret = PTR_ERR(target_dmabuf);
goto target_dmabuf_fail;
}
+
+ if (clientctx->relocs[i].target_offset > target_dmabuf->size) {
+ dev_err(&nvavp->nvhost_dev->dev,
+ "invalid target offset in reloc %d\n",
+ clientctx->relocs[i].target_offset);
+ ret = -EINVAL;
+ goto target_attach_fail;
+ }
+
target_attach = dma_buf_attach(target_dmabuf,
&nvavp->nvhost_dev->dev);
if (IS_ERR(target_attach)) {
