From a47290f516f323833a09497a465b4c879bfe436b Mon Sep 17 00:00:00 2001 From: Konsta Holtta Date: Tue, 8 Mar 2016 13:56:19 +0200 Subject: [PATCH] video: tegra: host: validate error notifier offset Make sure that the notifier object fits within the supplied buffer. Bug 1739183 Change-Id: Ifbf46eddea86bedf0236851ea1c3f73e5f820beb Signed-off-by: Konsta Holtta Reviewed-on: http://git-master/r/1026409 (cherry-picked from commit 4086d2137e9b51137aa335fa264d924c73dea5fc) Reviewed-on: http://git-master/r/1028145 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Arto Merilainen --- drivers/video/tegra/host/bus_client.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c index ced6223ec3f..b1dedf4a0dd 100644 --- a/drivers/video/tegra/host/bus_client.c +++ b/drivers/video/tegra/host/bus_client.c @@ -419,6 +419,7 @@ static int nvhost_init_error_notifier(struct nvhost_channel_userctx *ctx, { struct dma_buf *dmabuf; void *va; + u64 end = args->offset + sizeof(struct nvhost_notification); /* are we releasing old reference? */ if (!args->mem) { @@ -435,6 +436,12 @@ static int nvhost_init_error_notifier(struct nvhost_channel_userctx *ctx, return -EINVAL; } + if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) { + dma_buf_put(dmabuf); + pr_err("%s: invalid offset\n", __func__); + return -EINVAL; + } + /* map handle and clear error notifier struct */ va = dma_buf_vmap(dmabuf); if (!va) { -- 2.39.2