misc/uacce: fixup out-of-bounds array write

driver inclusion category: Bugfix bugzilla: NA CVE: NA Size in uacce_alloc_dma_buffers api is from mmap size. If size is too big, which can cause size + max_size - 1 overflow. Then ss_num is negative, uacce_sort_dma_buffers api may cause out-of-bounds arraywrite. Signed-off-by: N Yu'an Wang <wangyuan46@huawei.com> Signed-off-by: N Kai Ye <yekai13@huawei.com> Reviewed-by: N Zhou Wang <wangzhou1@hisilicon.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

misc/uacce: fixup out-of-bounds array write
driver inclusion category: Bugfix bugzilla: NA CVE: NA Size in uacce_alloc_dma_buffers api is from mmap size. If size is too big, which can cause size + max_size - 1 overflow. Then ss_num is negative, uacce_sort_dma_buffers api may cause out-of-bounds arraywrite. Signed-off-by: N Yu'an Wang <wangyuan46@huawei.com> Signed-off-by: N Kai Ye <yekai13@huawei.com> Reviewed-by: N Zhou Wang <wangzhou1@hisilicon.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
7b2b2e29 · Yu'an Wang · Yang Yingliang · d2c956ae · 7b2b2e29
显示空白变更内容
内联并排

Showing with 3 addition and 2 deletion

drivers/misc/uacce/uacce.c drivers/misc/uacce/uacce.c +3 -2

未找到文件。
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -321,13 +321,14 @@ static int uacce_alloc_dma_buffers(struct uacce_queue *q,
 	unsigned long start = vma->vm_start;
 	struct uacce *uacce = q->uacce;
 	struct uacce_dma_slice *slice;
-	int i, ss_num;
+	unsigned long ss_num;
+	int i;

 	/* Set maximum slice size is 128MB */
 	if (max_size > UACCE_GRAN_NUM_MASK << UACCE_GRAN_SHIFT)
 		max_size = (UACCE_GRAN_NUM_MASK + 1) << (UACCE_GRAN_SHIFT - 1);

-	ss_num = (size + max_size - 1) / max_size;
+	ss_num = size / max_size + (size % max_size ? 1 : 0);
 	slice = kcalloc(ss_num + 1, sizeof(*slice), GFP_KERNEL | __GFP_ZERO);
 	if (!slice)
 		return -ENOMEM;