mali_kbase: Fix multiplication overflow in kbase_mem_aliasandroid-t-beta-1_r0.4 android-gs-raviole-5.10-t-beta-1

The multiplication overflow in kbase_mem_alias can result in a use after free that grants arbitrary code execution. Bug: 215001024 Bug: 224740931 Signed-off-by: Jack Diver <diverj@google.com> Change-Id: I6973188e97729e43999654c053a3105c4affce00
author: Jack Diver <diverj@google.com> 2022-03-15 13:01:19 +0000
committer: TreeHugger Robot <treehugger-gerrit@google.com> 2022-03-16 02:26:18 +0000
commit: 10c10e54cd4ca807195f96a9876c5316df51630e (patch)
tree: 2edae3de0f050389cbf9ff4d7c9a059570731bd8
parent: 3d9f70261b023712c5113fb715f114ad8db9cfae (diff)
download: gpu-android-gs-raviole-5.10-t-beta-1.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/mali_kbase/mali_kbase_mem_linux.c b/mali_kbase/mali_kbase_mem_linux.c
index 762b5a6..2180412 100644
--- a/mali_kbase/mali_kbase_mem_linux.c
+++ b/mali_kbase/mali_kbase_mem_linux.c
@@ -1763,7 +1763,7 @@ u64 kbase_mem_alias(struct kbase_context *kctx, u64 *flags, u64 stride,
 	if (!nents)
 		goto bad_nents;
 
-	if ((nents * stride) > (U64_MAX / PAGE_SIZE))
+	if (nents > (U64_MAX / PAGE_SIZE) / stride)
 		/* 64-bit address range is the max */
 		goto bad_size;
author	Jack Diver <diverj@google.com>	2022-03-15 13:01:19 +0000
committer	TreeHugger Robot <treehugger-gerrit@google.com>	2022-03-16 02:26:18 +0000
commit	10c10e54cd4ca807195f96a9876c5316df51630e (patch)
tree	2edae3de0f050389cbf9ff4d7c9a059570731bd8
parent	3d9f70261b023712c5113fb715f114ad8db9cfae (diff)
download	gpu-android-gs-raviole-5.10-t-beta-1.tar.gz