video: tegra: host: validate error notifier offset Make sure that the notifier object fits within the supplied buffer. Bug:27299111 Change-Id: Ifbf46eddea86bedf0236851ea1c3f73e5f820beb Signed-off-by: Konsta Holtta <kholtta@nvidia.com> (cherry picked from commit c94e2c4927d5c6a2fd67a99502f1e4ea6bf3bb59)

commit: 5e9b017093eb06eeea7b90d47c9418cbd22bed7d [log] [tgz]
author: Konsta Holtta <kholtta@nvidia.com> Tue Mar 08 13:56:19 2016 +0200
committer: Mark Salyzyn <salyzyn@google.com> Tue Mar 22 23:03:54 2016 +0000
tree: 415e599df7d736498dda0f30cc7cd84f93e3ec7b
parent: 9e6e25e1eb1de8fd4a41a0ad2997d7f36421c235 [diff]
diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c
index 1052c63..576800d 100644
--- a/drivers/video/tegra/host/bus_client.c
+++ b/drivers/video/tegra/host/bus_client.c

@@ -328,6 +328,7 @@
 static int nvhost_init_error_notifier(struct nvhost_channel *ch,
 		struct nvhost_set_error_notifier *args) {
 	void *va;
+	u64 end = args->offset + sizeof(struct nvhost_notification);
 
 	struct dma_buf *dmabuf;
 	if (!args->mem) {
@@ -345,7 +346,13 @@
 		return -EINVAL;
 	}
 
-	/* map handle */
+	if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) {
+		dma_buf_put(dmabuf);
+		pr_err("%s: invalid offset\n", __func__);
+		return -EINVAL;
+	}
+
+	/* map handle and clear error notifier struct */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {
 		dma_buf_put(dmabuf);
commit	5e9b017093eb06eeea7b90d47c9418cbd22bed7d	[log] [tgz]
author	Konsta Holtta <kholtta@nvidia.com>	Tue Mar 08 13:56:19 2016 +0200
committer	Mark Salyzyn <salyzyn@google.com>	Tue Mar 22 23:03:54 2016 +0000
tree	415e599df7d736498dda0f30cc7cd84f93e3ec7b
parent	9e6e25e1eb1de8fd4a41a0ad2997d7f36421c235 [diff]