media: tegra: nvavp: Fix reloc offset check

- Check whether command buffer data offset is 32-bit
  aligned
- Check whether relocation offset is 32-bit aligned
  and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
  and derived address is within target buffer size

Bug 1741516

Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1112711
(cherry picked from commit 1d58fc311d5eeb4e525c195c99593d8309a565a1)
Reviewed-on: http://git-master/r/1140881
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
index f7219b2eb696d059a26ed881f02acb4be494298d..7c83fb9c22cc69355f2790cfbb0bed1b95690170 100644 (file)
--- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c
+++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
@@ -1601,7 +1601,8 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                return PTR_ERR(cmdbuf_dmabuf);
        }
 
-       if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) {
+       if ((hdr.cmdbuf.offset & 3)
+               || (hdr.cmdbuf.offset >= cmdbuf_dmabuf->size)) {
                dev_err(&nvavp->nvhost_dev->dev,
                        "invalid cmdbuf offset %d\n", hdr.cmdbuf.offset);
                ret = -EINVAL;
@@ -1645,7 +1646,11 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                        goto err_reloc_info;
                }
 
-               if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) {
+               if ((clientctx->relocs[i].cmdbuf_offset & 3)
+                       || (clientctx->relocs[i].cmdbuf_offset >=
+                               cmdbuf_dmabuf->size)
+                       || (clientctx->relocs[i].cmdbuf_offset >=
+                               (cmdbuf_dmabuf->size - hdr.cmdbuf.offset))) {
                        dev_err(&nvavp->nvhost_dev->dev,
                                "invalid reloc offset in cmdbuf %d\n",
                                clientctx->relocs[i].cmdbuf_offset);
@@ -1662,7 +1667,9 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
                        goto target_dmabuf_fail;
                }
 
-               if (clientctx->relocs[i].target_offset > target_dmabuf->size) {
+               if ((clientctx->relocs[i].target_offset & 3)
+                       || (clientctx->relocs[i].target_offset >=
+                               target_dmabuf->size)) {
                        dev_err(&nvavp->nvhost_dev->dev,
                                "invalid target offset in reloc %d\n",
                                clientctx->relocs[i].target_offset);