diff options
| author | Jack Diver <diverj@google.com> | 2023-08-30 10:32:12 +0000 |
|---|---|---|
| committer | Jack Diver <diverj@google.com> | 2023-09-20 16:22:29 +0000 |
| commit | 5dec6c2a0b1693a51f7a5ab8c8667fb545e535ac (patch) | |
| tree | 473bbc0df22a9d7868282eea7a817b73e411889d | |
| parent | d5d5c0f0f1c4c6b2e803726d1cc668eaa9a6eda2 (diff) | |
| download | gpu-5dec6c2a0b1693a51f7a5ab8c8667fb545e535ac.tar.gz | |
mali_kbase: platform: Fix integer overflow
Fix potential integer overflow within buffer liveness ioctl.
Bug: 296984851
Test: N/A
Change-Id: Ib1c9ee25a89b0a39ec905f109ee2c57c502428db
(cherry picked from https://partner-android-review.googlesource.com/q/commit:02e5329e2e3f4af00f51560895b5bbe87fe824ef)
Signed-off-by: Jack Diver <diverj@google.com>
| -rw-r--r-- | mali_kbase/platform/pixel/pixel_gpu_slc.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/mali_kbase/platform/pixel/pixel_gpu_slc.c b/mali_kbase/platform/pixel/pixel_gpu_slc.c index eebdeb1..c7ec0c9 100644 --- a/mali_kbase/platform/pixel/pixel_gpu_slc.c +++ b/mali_kbase/platform/pixel/pixel_gpu_slc.c @@ -308,25 +308,34 @@ static void gpu_slc_liveness_update(struct kbase_context* kctx, int gpu_pixel_handle_buffer_liveness_update_ioctl(struct kbase_context* kctx, struct kbase_ioctl_buffer_liveness_update* update) { - int err = 0; + int err = -EINVAL; struct gpu_slc_liveness_update_info info; - u64* buff; + u64* buff = NULL; + u64 total_buff_size; /* Compute the sizes of the user space arrays that we need to copy */ u64 const buffer_info_size = sizeof(u64) * update->buffer_count; u64 const live_ranges_size = sizeof(struct kbase_pixel_gpu_slc_liveness_mark) * update->live_ranges_count; - /* Nothing to do */ + /* Guard against overflows and empty sizes */ if (!buffer_info_size || !live_ranges_size) goto done; - + if (U64_MAX / sizeof(u64) < update->buffer_count) + goto done; + if (U64_MAX / sizeof(struct kbase_pixel_gpu_slc_liveness_mark) < update->live_ranges_count) + goto done; /* Guard against nullptr */ if (!update->live_ranges_address || !update->buffer_va_address || !update->buffer_sizes_address) goto done; + /* Calculate the total buffer size required and detect overflows */ + if ((U64_MAX - live_ranges_size) / 2 < buffer_info_size) + goto done; + + total_buff_size = buffer_info_size * 2 + live_ranges_size; /* Allocate the memory we require to copy from user space */ - buff = kmalloc(buffer_info_size * 2 + live_ranges_size, GFP_KERNEL); + buff = kmalloc(total_buff_size, GFP_KERNEL); if (buff == NULL) { dev_err(kctx->kbdev->dev, "pixel: failed to allocate buffer for liveness update"); err = -ENOMEM; |