diff options
author | Jack Diver <diverj@google.com> | 2022-03-15 13:01:19 +0000 |
---|---|---|
committer | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-03-16 02:26:18 +0000 |
commit | 10c10e54cd4ca807195f96a9876c5316df51630e (patch) | |
tree | 2edae3de0f050389cbf9ff4d7c9a059570731bd8 | |
parent | 3d9f70261b023712c5113fb715f114ad8db9cfae (diff) | |
download | gpu-android-gs-raviole-5.10-t-beta-1.tar.gz |
mali_kbase: Fix multiplication overflow in kbase_mem_aliasandroid-t-beta-1_r0.4android-gs-raviole-5.10-t-beta-1
The multiplication overflow in kbase_mem_alias can result in a use after
free that grants arbitrary code execution.
Bug: 215001024
Bug: 224740931
Signed-off-by: Jack Diver <diverj@google.com>
Change-Id: I6973188e97729e43999654c053a3105c4affce00
-rw-r--r-- | mali_kbase/mali_kbase_mem_linux.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mali_kbase/mali_kbase_mem_linux.c b/mali_kbase/mali_kbase_mem_linux.c index 762b5a6..2180412 100644 --- a/mali_kbase/mali_kbase_mem_linux.c +++ b/mali_kbase/mali_kbase_mem_linux.c @@ -1763,7 +1763,7 @@ u64 kbase_mem_alias(struct kbase_context *kctx, u64 *flags, u64 stride, if (!nents) goto bad_nents; - if ((nents * stride) > (U64_MAX / PAGE_SIZE)) + if (nents > (U64_MAX / PAGE_SIZE) / stride) /* 64-bit address range is the max */ goto bad_size; |