Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 8e5ca01ac966b91818c9612cc3f988538a261ef2
commit8e5ca01ac966b91818c9612cc3f988538a261ef2[log] [tgz]
authorJoonyoung Shim <jy0922.shim@samsung.com>Sat Oct 07 22:37:34 2017 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Nov 08 10:08:37 2017 +0100
treedbf1630232fdea02708c5695f233116012917905
parent2a6576f56eabb84a1e0fe1a6d62a46c106688bae [diff]
drm/exynos: g2d: prevent integer overflow in


[ Upstream commit e41456bfc811f12b5dcda6f2d6849bdff68f6c0a ]

The size computations done in the ioctl function use an integer.
If userspace submits a request with req->cmd_nr or req->cmd_buf_nr
set to INT_MAX, the integer computations overflow later, leading
to potential (kernel) memory corruption.

Prevent this issue by enforcing a limit on the number of submitted
commands, so that we have enough headroom later for the size
computations.

Note that this change has no impact on the currently available
users in userspace, like e.g. libdrm/exynos.

While at it, also make a comment about the size computation more
detailed.

Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: dbf1630232fdea02708c5695f233116012917905
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS