From patchwork Mon Jun 19 21:36:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Crouse X-Patchwork-Id: 9797841 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1A2DD603F5 for ; Mon, 19 Jun 2017 21:37:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C93328435 for ; Mon, 19 Jun 2017 21:37:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 117792844E; Mon, 19 Jun 2017 21:37:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9924428435 for ; Mon, 19 Jun 2017 21:37:00 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8BCA06E228; Mon, 19 Jun 2017 21:36:58 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from smtp.codeaurora.org (smtp.codeaurora.org [198.145.29.96]) by gabe.freedesktop.org (Postfix) with ESMTPS id 97B166E228; Mon, 19 Jun 2017 21:36:57 +0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 76FA0607CE; Mon, 19 Jun 2017 21:36:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1497908217; bh=w7aAq1h4XFGQaTtX4aTxp86eQo2esxJp1C1kmGIqMNg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JTRYQGktYTpu5eQh5WtzWScZktzTsWioCX2sTv20XUYab+d0RXk/VE6JiHJ2kfWcq K92R9Grk8zen6KDH+R9xoq4RN+ppJQooqY1wn3D9VB2DknFWpy9eaWd6MSqviGH1TL iPi2p+8wr4/J1gadbXHdml0zjD0ydeMBhE41O5XU= Received: from jcrouse-lnx.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jcrouse@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id C4FC660733; Mon, 19 Jun 2017 21:36:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1497908217; bh=w7aAq1h4XFGQaTtX4aTxp86eQo2esxJp1C1kmGIqMNg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JTRYQGktYTpu5eQh5WtzWScZktzTsWioCX2sTv20XUYab+d0RXk/VE6JiHJ2kfWcq K92R9Grk8zen6KDH+R9xoq4RN+ppJQooqY1wn3D9VB2DknFWpy9eaWd6MSqviGH1TL iPi2p+8wr4/J1gadbXHdml0zjD0ydeMBhE41O5XU= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org C4FC660733 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=jcrouse@codeaurora.org From: Jordan Crouse To: freedreno@lists.freedesktop.org Subject: [PATCH] drm/msm: Fix potential buffer overflow issue Date: Mon, 19 Jun 2017 15:36:53 -0600 Message-Id: <1497908213-18958-2-git-send-email-jcrouse@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1497908213-18958-1-git-send-email-jcrouse@codeaurora.org> References: <1497908213-18958-1-git-send-email-jcrouse@codeaurora.org> Cc: linux-arm-msm@vger.kernel.org, Kasin Li , dri-devel@lists.freedesktop.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Kasin Li In function submit_create, if nr_cmds or nr_bos is assigned with negative value, the allocated buffer may be small than intended. Using this buffer will lead to buffer overflow issue. Signed-off-by: Kasin Li Signed-off-by: Jordan Crouse --- drivers/gpu/drm/msm/msm_gem_submit.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 7832e64..8264a53 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -31,11 +31,14 @@ #define BO_PINNED 0x2000 static struct msm_gem_submit *submit_create(struct drm_device *dev, - struct msm_gpu *gpu, int nr_bos, int nr_cmds) + struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds) { struct msm_gem_submit *submit; - int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) + - (nr_cmds * sizeof(*submit->cmd)); + uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) + + (nr_cmds * sizeof(submit->cmd[0])); + + if (sz > SIZE_MAX) + return NULL; submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY); if (!submit)