From 07fb031a9cea70cb733203d3c9867000639c6e87 Mon Sep 17 00:00:00 2001
From: Somu Sundaram <somasundaram@nvidia.com>
Date: Fri, 18 Mar 2016 12:52:59 +0530
Subject: [PATCH] media: tegra: nvavp: Fix reloc offset check

- Check whether command buffer data offset is 32-bit
  aligned
- Check whether relocation offset is 32-bit aligned
  and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
  and derived address is within target buffer size

Bug 1741516

Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1112711
(cherry picked from commit 1d58fc311d5eeb4e525c195c99593d8309a565a1)
Reviewed-on: http://git-master/r/1140881
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
---
 drivers/media/platform/tegra/nvavp/nvavp_dev.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
index f7219b2eb69..7c83fb9c22c 100644
--- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c
+++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c
@@ -1601,7 +1601,8 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
 		return PTR_ERR(cmdbuf_dmabuf);
 	}
 
-	if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) {
+	if ((hdr.cmdbuf.offset & 3)
+		|| (hdr.cmdbuf.offset >= cmdbuf_dmabuf->size)) {
 		dev_err(&nvavp->nvhost_dev->dev,
 			"invalid cmdbuf offset %d\n", hdr.cmdbuf.offset);
 		ret = -EINVAL;
@@ -1645,7 +1646,11 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
 			goto err_reloc_info;
 		}
 
-		if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) {
+		if ((clientctx->relocs[i].cmdbuf_offset & 3)
+			|| (clientctx->relocs[i].cmdbuf_offset >=
+				cmdbuf_dmabuf->size)
+			|| (clientctx->relocs[i].cmdbuf_offset >=
+				(cmdbuf_dmabuf->size - hdr.cmdbuf.offset))) {
 			dev_err(&nvavp->nvhost_dev->dev,
 				"invalid reloc offset in cmdbuf %d\n",
 				clientctx->relocs[i].cmdbuf_offset);
@@ -1662,7 +1667,9 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd,
 			goto target_dmabuf_fail;
 		}
 
-		if (clientctx->relocs[i].target_offset > target_dmabuf->size) {
+		if ((clientctx->relocs[i].target_offset & 3)
+			|| (clientctx->relocs[i].target_offset >=
+				target_dmabuf->size)) {
 			dev_err(&nvavp->nvhost_dev->dev,
 				"invalid target offset in reloc %d\n",
 				clientctx->relocs[i].target_offset);
-- 
2.39.2