mali_kbase: Fix OOB write in kbase_csf_cpu_queue_dump()android-u-qpr2-beta-1_r0.6 android-u-qpr2-beta-1_r0.5 android-u-qpr2-beta-1_r0.4 android-u-qpr2-beta-1_r0.3 android-u-qpr2-beta-1_r0.2 android-u-qpr2-beta-1_r0.1

Bug: 299991153 Change-Id: I63342d7ca91f4150d7e5e376d8e91f0accf22dd4
author: Guus Sliepen <gsliepen@google.com> 2023-09-25 14:52:26 +0000
committer: Guus Sliepen <gsliepen@google.com> 2023-10-04 07:06:10 +0000
commit: d189615d99899161efdee2f6284ecf80319772b2 (patch)
tree: 4b186bc45c8a096e4306654982f1874b9cb3e5df
parent: d2429d159b0db18184298ad404009b3a38464ccb (diff)
download: gpu-d189615d99899161efdee2f6284ecf80319772b2.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/mali_kbase/csf/mali_kbase_csf_cpu_queue_debugfs.c b/mali_kbase/csf/mali_kbase_csf_cpu_queue_debugfs.c
index a319a4a..d783650 100644
--- a/mali_kbase/csf/mali_kbase_csf_cpu_queue_debugfs.c
+++ b/mali_kbase/csf/mali_kbase_csf_cpu_queue_debugfs.c
@@ -132,6 +132,9 @@ int kbase_csf_cpu_queue_dump(struct kbase_context *kctx,
 	if (!buffer || !alloc_size)
 		return 0;
 
+	if (alloc_size > SIZE_MAX - PAGE_SIZE)
+		return -ENOMEM;
+
 	alloc_size = (alloc_size + PAGE_SIZE) & ~(PAGE_SIZE - 1);
 	dump_buffer = kzalloc(alloc_size, GFP_KERNEL);
 	if (!dump_buffer)
author	Guus Sliepen <gsliepen@google.com>	2023-09-25 14:52:26 +0000
committer	Guus Sliepen <gsliepen@google.com>	2023-10-04 07:06:10 +0000
commit	d189615d99899161efdee2f6284ecf80319772b2 (patch)
tree	4b186bc45c8a096e4306654982f1874b9cb3e5df
parent	d2429d159b0db18184298ad404009b3a38464ccb (diff)
download	gpu-d189615d99899161efdee2f6284ecf80319772b2.tar.gz