diff options
| author | Guus Sliepen <gsliepen@google.com> | 2023-09-11 09:21:05 +0000 |
|---|---|---|
| committer | Guus Sliepen <gsliepen@google.com> | 2023-10-08 15:42:56 +0000 |
| commit | fb192812bb0feff87f603081741a455f12db1a90 (patch) | |
| tree | 8dac2d01c9dd3b82c593e564a6d42933e164b9a1 | |
| parent | 1896a2b4ea755ff63e623837bc8cfdd6d9c56adc (diff) | |
| download | gpu-fb192812bb0feff87f603081741a455f12db1a90.tar.gz | |
mali_kbase: platform: Add missing bounds checkandroid-u-qpr1-beta-2.2_r0.2android-u-qpr1-beta-2.2_r0.1android-14.0.0_r0.22android-14.0.0_r0.19android-gs-raviole-5.10-android14-qpr1-betaandroid-gs-bluejay-5.10-android14-qpr1-beta
Fix potential out-of-bounds read due to missing bounds check.
Bug: 298264460
Signed-off-by: Guus Sliepen <gsliepen@google.com>
Change-Id: I57b67a4177e4fe6d84a261eeb00b6b833da5486b
Merged-In: I57b67a4177e4fe6d84a261eeb00b6b833da5486b
| -rw-r--r-- | mali_kbase/platform/pixel/pixel_gpu_slc.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/mali_kbase/platform/pixel/pixel_gpu_slc.c b/mali_kbase/platform/pixel/pixel_gpu_slc.c index c7ec0c9..94409d2 100644 --- a/mali_kbase/platform/pixel/pixel_gpu_slc.c +++ b/mali_kbase/platform/pixel/pixel_gpu_slc.c @@ -28,6 +28,7 @@ struct dirty_region { * * @buffer_va: Array of buffer base virtual addresses * @buffer_sizes: Array of buffer sizes + * @buffer_count: Number of elements in the va and sizes buffers * @live_ranges: Array of &struct kbase_pixel_gpu_slc_liveness_mark denoting live ranges for * each buffer * @live_ranges_count: Number of elements in the live ranges buffer @@ -35,6 +36,7 @@ struct dirty_region { struct gpu_slc_liveness_update_info { u64* buffer_va; u64* buffer_sizes; + u64 buffer_count; struct kbase_pixel_gpu_slc_liveness_mark* live_ranges; u64 live_ranges_count; }; @@ -234,8 +236,15 @@ static void gpu_slc_liveness_update(struct kbase_context* kctx, for (i = 0; i < info->live_ranges_count; ++i) { struct kbase_va_region *reg; - u64 const size = info->buffer_sizes[info->live_ranges[i].index]; - u64 const va = info->buffer_va[info->live_ranges[i].index]; + u64 size; + u64 va; + u32 index = info->live_ranges[i].index; + + if (unlikely(index >= info->buffer_count)) + continue; + + size = info->buffer_sizes[index]; + va = info->buffer_va[index]; reg = gpu_slc_get_region(kctx, va); if(!reg) @@ -346,6 +355,7 @@ int gpu_pixel_handle_buffer_liveness_update_ioctl(struct kbase_context* kctx, info = (struct gpu_slc_liveness_update_info){ .buffer_va = buff, .buffer_sizes = buff + update->buffer_count, + .buffer_count = update->buffer_count, .live_ranges = (struct kbase_pixel_gpu_slc_liveness_mark*)(buff + update->buffer_count * 2), .live_ranges_count = update->live_ranges_count, }; |