gpu: nvgpu: validate wait notification offset

Make sure that the notification object fits within the supplied buffer. Bug 1739182 Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214 Signed-off-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-on: http://git-master/r/1026431 (cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807) Reviewed-on: http://git-master/r/1030875 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
2025-12-24 10:34:43 +03:00 · 2016-03-08 14:35:21 +02:00
parent ec023c3ff7
commit f07a046a52
1 changed files with 8 additions and 0 deletions
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -2408,6 +2408,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
 	u32 offset;
 	unsigned long timeout;
 	int remain, ret = 0;
+	u64 end;

 	gk20a_dbg_fn("");

@@ -2423,6 +2424,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
 	case NVGPU_WAIT_TYPE_NOTIFIER:
 		id = args->condition.notifier.dmabuf_fd;
 		offset = args->condition.notifier.offset;
+		end = offset + sizeof(struct notification);

 		dmabuf = dma_buf_get(id);
 		if (IS_ERR(dmabuf)) {
@@ -2431,6 +2433,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
 			return -EINVAL;
 		}

+		if (end > dmabuf->size || end < sizeof(struct notification)) {
+			dma_buf_put(dmabuf);
+			gk20a_err(d, "invalid notifier offset\n");
+			return -EINVAL;
+		}
+
 		notif = dma_buf_vmap(dmabuf);
 		if (!notif) {
 			gk20a_err(d, "failed to map notifier memory");