diff options
author | Deepak Nibade <dnibade@nvidia.com> | 2017-06-05 06:32:46 -0400 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2017-06-06 11:13:43 -0400 |
commit | 9902a49b0bc43ceb64076bce78fe8189ccd24e17 (patch) | |
tree | 6d6df6130758443d2c1fb06443bfba1f9d218690 /drivers/gpu/nvgpu/common/linux | |
parent | 793bc318c558295f8c2a0a2af3e7729dcece6208 (diff) |
gpu: nvgpu: fix use of untrusted scalar value
Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)
But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect
Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range
Bug 200291879
Coverity id : 2567923
Coverity id : 2567924
Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Diffstat (limited to 'drivers/gpu/nvgpu/common/linux')
-rw-r--r-- | drivers/gpu/nvgpu/common/linux/vm.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c index 4fa01855..f356fee2 100644 --- a/drivers/gpu/nvgpu/common/linux/vm.c +++ b/drivers/gpu/nvgpu/common/linux/vm.c | |||
@@ -25,6 +25,7 @@ | |||
25 | 25 | ||
26 | #include "gk20a/gk20a.h" | 26 | #include "gk20a/gk20a.h" |
27 | #include "gk20a/mm_gk20a.h" | 27 | #include "gk20a/mm_gk20a.h" |
28 | #include "gk20a/kind_gk20a.h" | ||
28 | 29 | ||
29 | #include "vm_priv.h" | 30 | #include "vm_priv.h" |
30 | 31 | ||
@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm, | |||
237 | goto clean_up; | 238 | goto clean_up; |
238 | } | 239 | } |
239 | 240 | ||
240 | bfr.kind_v = kind; | 241 | if (kind >= NV_KIND_ATTR_SIZE) { |
242 | err = -EINVAL; | ||
243 | goto clean_up; | ||
244 | } else { | ||
245 | bfr.kind_v = kind; | ||
246 | } | ||
241 | bfr.size = dmabuf->size; | 247 | bfr.size = dmabuf->size; |
242 | sgl = bfr.sgt->sgl; | 248 | sgl = bfr.sgt->sgl; |
243 | 249 | ||