msm: kgsl: Add missing check for alloc size(CVE-2016-2468)android-wear-6.0.1_r0.41

In _kgsl_sharedmem_page_alloc(), check for boundary limits of requested alloc size before honoring. Change-Id: Ib76926a6c5994065d5c8f4a9e36b34dff5d4596b Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/238963 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
author: shunmin_wang <shunmin_wang@asus.com> 2016-06-22 10:22:31 +0800
committer: Carol_Jiang <carol_jiang@asus.com> 2016-06-22 10:32:41 +0800
commit: 76f0774427842ca66031bb978737db4f7451c014 (patch)
tree: 0b59e98da9951e840326c7fe0310804b7ddb4e1d
parent: ca72a05ced5e45773922d0f43f46d6832c11de24 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
index b62c3a39b6a1..73f9ed29ad5d 100644
--- a/drivers/gpu/msm/kgsl_sharedmem.c
+++ b/drivers/gpu/msm/kgsl_sharedmem.c
@@ -576,6 +576,10 @@ _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
 	unsigned int align;
 	int step = ((VMALLOC_END - VMALLOC_START)/8) >> PAGE_SHIFT;
 
+	size = PAGE_ALIGN(size);
+	if (size == 0 || size > UINT_MAX)
+		return -EINVAL;
+
 	align = (memdesc->flags & KGSL_MEMALIGN_MASK) >> KGSL_MEMALIGN_SHIFT;
 
 	page_size = get_page_size(size, align);
author	shunmin_wang <shunmin_wang@asus.com>	2016-06-22 10:22:31 +0800
committer	Carol_Jiang <carol_jiang@asus.com>	2016-06-22 10:32:41 +0800
commit	76f0774427842ca66031bb978737db4f7451c014 (patch)
tree	0b59e98da9951e840326c7fe0310804b7ddb4e1d
parent	ca72a05ced5e45773922d0f43f46d6832c11de24 (diff)