From patchwork Tue Jan 17 04:42:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joonyoung Shim X-Patchwork-Id: 9519929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A9DAE6043D for ; Tue, 17 Jan 2017 04:42:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C22A2849E for ; Tue, 17 Jan 2017 04:42:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8F8502849C; Tue, 17 Jan 2017 04:42:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 682162849C for ; Tue, 17 Jan 2017 04:42:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750827AbdAQEmR (ORCPT ); Mon, 16 Jan 2017 23:42:17 -0500 Received: from mailout1.samsung.com ([203.254.224.24]:41592 "EHLO mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750849AbdAQEmQ (ORCPT ); Mon, 16 Jan 2017 23:42:16 -0500 Received: from epcas1p4.samsung.com (unknown [182.195.41.48]) by mailout1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OJW01J18QDB75B0@mailout1.samsung.com> for linux-samsung-soc@vger.kernel.org; Tue, 17 Jan 2017 13:41:35 +0900 (KST) Received: from epsmges5p5.samsung.com (unknown [182.195.40.68]) by epcas1p1.samsung.com (KnoxPortal) with ESMTP id 20170117044135epcas1p15971b7b12b533eee90cb4934a386aea1~adWL_k5LZ2937829378epcas1p13; Tue, 17 Jan 2017 04:41:35 +0000 (GMT) Received: from epcas5p4.samsung.com ( [182.195.41.42]) by epsmges5p5.samsung.com (EPCPMTA) with SMTP id 65.19.27948.F70AD785; Tue, 17 Jan 2017 13:41:35 +0900 (KST) Received: from epcpsbgm2new.samsung.com (u27.gpu120.samsung.co.kr [203.254.230.27]) by epcas5p2.samsung.com (KnoxPortal) with ESMTP id 20170117044134epcas5p2d0e67623efa7eb0b9a1ad6f8a593f0c4~adWLXQZls1760517605epcas5p2j; Tue, 17 Jan 2017 04:41:34 +0000 (GMT) X-AuditID: b6c32a59-f79c56d000006d2c-20-587da07f45dc Received: from epmmp1.local.host ( [203.254.227.16]) by epcpsbgm2new.samsung.com (EPCPMTA) with SMTP id 75.89.26370.E70AD785; Tue, 17 Jan 2017 13:41:34 +0900 (KST) Received: from localhost.localdomain ([10.113.63.51]) by mmp1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OJW00AR4QD9RF80@mmp1.samsung.com>; Tue, 17 Jan 2017 13:41:34 +0900 (KST) From: Joonyoung Shim To: dri-devel@lists.freedesktop.org Cc: inki.dae@samsung.com, sw0312.kim@samsung.com, jy0922.shim@samsung.com, linux-samsung-soc@vger.kernel.org Subject: [PATCH] drm/exynos: g2d: fix overflow of cmdlist size Date: Tue, 17 Jan 2017 13:42:06 +0900 Message-id: <1484628126-21671-1-git-send-email-jy0922.shim@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsWy7bCmlm79gtoIg6UnuSyufH3PZjHp/gQW ixf3LrJYzDi/j8lixuSXbA6sHve7jzN59G1ZxejxeZNcAHNUqk1GamJKapFCal5yfkpmXrqt kndwvHO8qZmBoa6hpYW5kkJeYm6qrZKLT4CuW2YO0EolhbLEnFKgUEBicbGSvp1NUX5pSapC Rn5xia1StKGhkZ6hgbmekZGRnolxrJWRKVBJQmrG7mUbmArec1Z8udXA1sA4gaOLkZNDQsBE Yt+VfhYIW0ziwr31bF2MXBxCAksZJebu+c8EkhASaGeS2HpBCqbh7OXlrBBFyxklnj6ZzAxR 9J1RYuHNTBCbTUBP4s6242DNIgLKEn8nrmIEsZkF8iQmvF8OVi8sYCexc8lesBoWAVWJppnP wGp4Bdwlzp/5yAixTE7i5LHJYMskBPawSZxes4C9i5EDyJGV2HSAGaLGRWLDo7WsELawxKvj W9ghbGmJv0tvMUL0djNKHPjzkB3CmcAoMfveDTaIKmOJ+w/uMUNcxyfR+/sJE8QCXomONiEI 00Ni9pNoiGpHiVnz17JD/BsrcfHNTuYJjNILGBlWMYqlFhTnpqcWmxaY6hUn5haX5qXrJefn bmIEpw2tyB2MV2YGHWIU4GBU4uE9Mbc2Qog1say4MvcQowQHs5II763ZQCHelMTKqtSi/Pii 0pzU4kOMpsCgmcgsJZqcD0xpeSXxhiZmhiZGlkBobmiuJM67oMI6QkggPbEkNTs1tSC1CKaP iYNTqoExw+GYyhSB5J7e69UGh5692ax5N+7YCreXEg+D25g9uWzsX8o1KnrNYA/9xWyh1XCb p+XyTKMZ/O4bFh8/99zxcPfXHxOfu87ikFaYvYA7R0/pEq/ZqSeVuvWXQiUaF4gvztDbcm5v Zfvtf0dDumfyv8joZt9c3dCZ4qGRIXCVY+a6CNWdH1mUWIozEg21mIuKEwESRP1OMQMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrILMWRmVeSWpSXmKPExsVy+t9jAd26BbURBmfvyVtc+fqezWLS/Qks Fi/uXWSxmHF+H5PFjMkv2RxYPe53H2fy6NuyitHj8ya5AOYoN5uM1MSU1CKF1Lzk/JTMvHRb pdAQN10LJYW8xNxUW6UIXd+QICWFssScUiDPyAANODgHuAcr6dsluGXsXraBqeA9Z8WXWw1s DYwTOLoYOTkkBEwkzl5ezgphi0lcuLeerYuRi0NIYCmjxKSlv5ggnO+MEstO/2UCqWIT0JO4 s+04mC0ioCzxd+IqRhCbWSBPYmHzRjYQW1jATmLnkr1gNSwCqhJNM5+B1fAKuEucP/OREWKb nMTJY5NZJzByL2BkWMUokVqQXFCclJ5rlJdarlecmFtcmpeul5yfu4kRHHzPpHcwHt7lfohR gINRiYd3wZOaCCHWxLLiytxDjBIczEoivLdm10YI8aYkVlalFuXHF5XmpBYfYjQFOmAis5Ro cj4wMvJK4g1NzE3MjQ0szC0tTYyUxHkbZz8LFxJITyxJzU5NLUgtgulj4uCUamDU3Zt5Yr3m 733nim/Ex3w7ra3vetQt5JRq1AedafaXqle2ZfTvem7FtHCn7IQTLUe7DUv3KJeGrumbWazB 7t9nzmqseVgpVV5AKia41WSW6eGPE99t/9X40jphpdGUKaIb5s9j3FF0gyVvEfezinVzmU9K zD1R3RDw1ecJY2tLa0GNYqjAo1VKLMUZiYZazEXFiQC3t0GVVAIAAA== X-MTR: 20000000000000000@CPGS X-CMS-MailID: 20170117044134epcas5p2d0e67623efa7eb0b9a1ad6f8a593f0c4 X-Msg-Generator: CA X-Sender-IP: 203.254.230.27 X-Local-Sender: =?UTF-8?B?7Ius7KSA7JiBG1RpemVuIFBsYXRmb3JtIExhYihTL1fshLw=?= =?UTF-8?B?7YSwKRvsgrzshLHsoITsnpAbUzUo7LGF7J6EKS/ssYXsnoQ=?= X-Global-Sender: =?UTF-8?B?Sm9vbnlvdW5nIFNoaW0bVGl6ZW4gUGxhdGZvcm0gTGFiLhtT?= =?UTF-8?B?YW1zdW5nIEVsZWN0cm9uaWNzG1M1L1NlbmlvciBFbmdpbmVlcg==?= X-Sender-Code: =?UTF-8?B?QzEwG1NUQUYbQzEwVjgxMTE=?= CMS-TYPE: 105P DLP-Filter: Pass X-CFilter-Loop: Reflected X-HopCount: 7 X-CMS-RootMailID: 20170117044134epcas5p2d0e67623efa7eb0b9a1ad6f8a593f0c4 X-RootMTR: 20170117044134epcas5p2d0e67623efa7eb0b9a1ad6f8a593f0c4 References: Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The size of cmdlist is integer type, so it can be overflowed by cmd and cmd_buf that has too big size. This patch will fix overflow issue as checking maximum size of cmd and cmd_buf. Signed-off-by: Joonyoung Shim --- drivers/gpu/drm/exynos/exynos_drm_g2d.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c index fbd13fa..b31244f 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c +++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c @@ -1250,7 +1250,14 @@ int exynos_g2d_set_cmdlist_ioctl(struct drm_device *drm_dev, void *data, cmdlist->data[cmdlist->last++] = G2D_INTEN_ACF; } - /* Check size of cmdlist: last 2 is about G2D_BITBLT_START */ + /* Check size of cmd and cmdlist: last 2 is about G2D_BITBLT_START */ + size = (G2D_CMDLIST_DATA_NUM - cmdlist->last - 2) / 2; + if (req->cmd_nr > size || req->cmd_buf_nr > size) { + dev_err(dev, "size of cmd or cmd_buf is too big\n"); + ret = -EINVAL; + goto err_free_event; + } + size = cmdlist->last + req->cmd_nr * 2 + req->cmd_buf_nr * 2 + 2; if (size > G2D_CMDLIST_DATA_NUM) { dev_err(dev, "cmdlist size is too big\n");