diff options
author | Naseer Ahmed <naseer@codeaurora.org> | 2016-08-04 14:25:23 -0400 |
---|---|---|
committer | Patrick Tjin <pattjin@google.com> | 2016-08-24 13:43:03 -0700 |
commit | b162aae6d2f3223e6bc971fa9fc31647b1fde08e (patch) | |
tree | e9d7672a7c73023a3932ac86918adbf636e3d531 | |
parent | 11032d745836280574827bb1db5e64a94945180e (diff) |
msm: mdss: Fix to validate data copied from user spaceandroid-6.0.1_r0.127
The overlay zorder values copied from user space are used
as index in left_lm_zo_cnt and right_lm_zo_cnt. This fix
will validate the overlay zorder value copied from user
space to not go beyond MDSS_MDP_MAX_STAGE, thus preventing
any arbitrary increments in kernel memory.
Bug: 30019716
CRs-Fixed: 1049232
Change-Id: Ie8e65ce9f58cb357204bfa4c6a6e0fccec82d5ba
Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
-rw-r--r-- | drivers/video/msm/mdss/mdss_mdp_overlay.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c index 6a6b1e67ffa8..f59b94fbae6c 100644 --- a/drivers/video/msm/mdss/mdss_mdp_overlay.c +++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c @@ -3025,16 +3025,20 @@ static int __mdss_overlay_src_split_sort(struct msm_fb_data_type *mfd, __overlay_swap_func); for (i = 0; i < num_ovs; i++) { + if (ovs[i].z_order >= MDSS_MDP_MAX_STAGE) { + pr_err("invalid stage:%u\n", ovs[i].z_order); + return -EINVAL; + } if (ovs[i].dst_rect.x < left_lm_w) { if (left_lm_zo_cnt[ovs[i].z_order] == 2) { - pr_err("more than 2 ov @ stage%d on left lm\n", + pr_err("more than 2 ov @ stage%u on left lm\n", ovs[i].z_order); return -EINVAL; } left_lm_zo_cnt[ovs[i].z_order]++; } else { if (right_lm_zo_cnt[ovs[i].z_order] == 2) { - pr_err("more than 2 ov @ stage%d on right lm\n", + pr_err("more than 2 ov @ stage%u on right lm\n", ovs[i].z_order); return -EINVAL; } |