提交 4a630fad 编写于 作者: K Kasin Li 提交者: Rob Clark

drm/msm: Fix potential buffer overflow issue

In function submit_create, if nr_cmds or nr_bos is assigned with
negative value, the allocated buffer may be small than intended.
Using this buffer will lead to buffer overflow issue.
Signed-off-by: NKasin Li <donglil@codeaurora.org>
Signed-off-by: NJordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: NRob Clark <robdclark@gmail.com>
上级 51c9fbe6
...@@ -31,11 +31,14 @@ ...@@ -31,11 +31,14 @@
#define BO_PINNED 0x2000 #define BO_PINNED 0x2000
static struct msm_gem_submit *submit_create(struct drm_device *dev, static struct msm_gem_submit *submit_create(struct drm_device *dev,
struct msm_gpu *gpu, int nr_bos, int nr_cmds) struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds)
{ {
struct msm_gem_submit *submit; struct msm_gem_submit *submit;
int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) + uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
(nr_cmds * sizeof(*submit->cmd)); (nr_cmds * sizeof(submit->cmd[0]));
if (sz > SIZE_MAX)
return NULL;
submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY); submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
if (!submit) if (!submit)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册