diff options
author | Jordan Crouse <jcrouse@codeaurora.org> | 2017-06-12 09:16:42 -0600 |
---|---|---|
committer | Jordan Crouse <jcrouse@codeaurora.org> | 2017-06-12 15:08:08 -0600 |
commit | 79492490423bc369da4ded113dca7f5a5b38e656 (patch) | |
tree | c49b904b1369e076adff1ebcfa66d9ffbf760ce3 /drivers | |
parent | c1a2472056c800ff46e0ac21a4b67c179a570ad0 (diff) |
drm/msm: Fix possible overflow issue in submit_cmd
When verifying that the submit_cmd offset and size do not exceed the
bounds of the GEM object make sure to cast the math operation
into a suitably large buffer to account for overflow.
Change-Id: Ic0dedbad97513ee538d539e771038b3cf0405e91
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/drm/msm/msm_gem_submit.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index c861bfd77537..c8d4dc6e40e0 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -434,6 +434,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); struct msm_gem_object *msm_obj; uint64_t iova; + size_t size; ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); if (ret) { @@ -466,10 +467,12 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; } - if (!(submit_cmd.size) || - ((submit_cmd.size + submit_cmd.submit_offset) > - msm_obj->base.size)) { - DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); + size = submit_cmd.size + submit_cmd.submit_offset; + + if (!submit_cmd.size || (size < submit_cmd.size) || + (size > msm_obj->base.size)) { + DRM_ERROR("invalid cmdstream offset/size: %u/%u\n", + submit_cmd.submit_offset, submit_cmd.size); ret = -EINVAL; goto out; } |