nouveau: Check userspace pointer before dereference

Bug: 38415808 Change-Id: I60bedcb9cf706df91f3fc27c682d0dda26d1b416 Signed-off-by: Mark Zhang <markz@nvidia.com>
author: Mark Zhang <markz@nvidia.com> 2017-08-04 10:32:38 +0800
committer: Adrian Salido <salidoa@google.com> 2017-08-17 13:58:43 -0700
commit: 40286163f84a29993c2f552a237256541875a1b4 (patch)
tree: a30e19365bcefbde7e54dfa9baf73df333dfe54f
parent: 77d06077f621fde3b337838aec67865dd9f3267b (diff)
download: tegra-40286163f84a29993c2f552a237256541875a1b4.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/gpu/drm/nouveau/nouveau_usif.c b/drivers/gpu/drm/nouveau/nouveau_usif.c
index cb1182d7e80e..8d4fcc17b2b4 100644
--- a/drivers/gpu/drm/nouveau/nouveau_usif.c
+++ b/drivers/gpu/drm/nouveau/nouveau_usif.c
@@ -316,6 +316,12 @@ usif_ioctl(struct drm_file *filp, void __user *user, u32 argc)
 	} else
 		goto done;
 
+	object = (void *)(unsigned long)argv->v0.token;
+	if (!access_ok(VERIFY_READ, object, sizeof(struct usif_object))) {
+		ret = -EINVAL;
+		goto done;
+	}
+
 	mutex_lock(&cli->mutex);
 	switch (argv->v0.type) {
 	case NVIF_IOCTL_V0_NEW:
@@ -340,7 +346,6 @@ usif_ioctl(struct drm_file *filp, void __user *user, u32 argc)
 		break;
 	}
 	if (argv->v0.route == NVDRM_OBJECT_USIF) {
-		object = (void *)(unsigned long)argv->v0.token;
 		argv->v0.route = object->route;
 		argv->v0.token = object->token;
 		if (ret == 0 && argv->v0.type == NVIF_IOCTL_V0_DEL) {
author	Mark Zhang <markz@nvidia.com>	2017-08-04 10:32:38 +0800
committer	Adrian Salido <salidoa@google.com>	2017-08-17 13:58:43 -0700
commit	40286163f84a29993c2f552a237256541875a1b4 (patch)
tree	a30e19365bcefbde7e54dfa9baf73df333dfe54f
parent	77d06077f621fde3b337838aec67865dd9f3267b (diff)
download	tegra-40286163f84a29993c2f552a237256541875a1b4.tar.gz