msm: kgsl: Fix Integer overflow in sparse_bind related functions There could be possibility of integer overflow on adding offset with size and result into a value smaller than memdesc size. CRs-Fixed: 1109776 Change-Id: I3746f34c9fb8ada28a9b6ed438ca8c296b69e752 Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org> Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>

commit: 8ff97990eb9d2d752fce03a793a044cd45ec4bfe [log] [tgz]
author: Sudeep Yedalapure <sudeepy@codeaurora.org> Fri Jan 20 20:12:51 2017 +0530
committer: Lynus Vaz <lvaz@codeaurora.org> Tue Mar 07 14:40:24 2017 +0530
tree: 269e066684677e3a869dbca0f87d9fd666f44e91
parent: 55a453a080b710b53f7b838210e68c7ba4705d4d [diff] [blame]
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index 56eae50..280e660 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c

@@ -3627,6 +3627,9 @@
 	if (!IS_ALIGNED(offset | size, kgsl_memdesc_get_pagesize(memdesc)))
 		return false;
 
+	if (offset + size < offset)
+		return false;
+
 	if (!(flags & KGSL_SPARSE_BIND_MULTIPLE_TO_PHYS) &&
 			offset + size > memdesc->size)
 		return false;
@@ -3754,7 +3757,7 @@
 			break;
 
 		/* Sanity check initial range */
-		if (obj.size == 0 ||
+		if (obj.size == 0 || obj.virtoffset + obj.size < obj.size ||
 			obj.virtoffset + obj.size > virt_entry->memdesc.size ||
 			!(IS_ALIGNED(obj.virtoffset | obj.size, pg_sz))) {
 			ret = -EINVAL;
commit	8ff97990eb9d2d752fce03a793a044cd45ec4bfe	[log] [tgz]
author	Sudeep Yedalapure <sudeepy@codeaurora.org>	Fri Jan 20 20:12:51 2017 +0530
committer	Lynus Vaz <lvaz@codeaurora.org>	Tue Mar 07 14:40:24 2017 +0530
tree	269e066684677e3a869dbca0f87d9fd666f44e91
parent	55a453a080b710b53f7b838210e68c7ba4705d4d [diff] [blame]