summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSubhajit Paul <a0132170@ti.com>2015-06-23 13:25:21 +0300
committerSubhajit Paul <a0132170@ti.com>2015-06-23 13:25:21 +0300
commit430673f78b79eccdf308a6bbfb524209b485d2cc (patch)
tree4046a9cec89c4cf1042ec02f74e79f3f3821794d
parent37e27eb740b27a432ded256250f4edc5b9b2b72d (diff)
downloadomap5-sgx-ddk-linux-glsdk_7.01.00.03.tar.xz
km: Fix array-OOB issue in create_gem_wrapperHEADglsdk_7.01.00.03master
The number of pages allocated at NewAllocPagesLinuxMemArea [eurasia_km/services4/srvkm/env/linux/mm.c] is stored in psLinuxMemArea->ui32ByteSize. However, the number of pages required is not at times the same as calculated in BM_GetVirtualSize. Its ok to allocate a bigger array of pages, but let's not try to access the source array beyond the array bounds. Signed-off-by: Subhajit Paul <a0132170@ti.com>
-rw-r--r--eurasia_km/services4/srvkm/env/linux/mmap.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/eurasia_km/services4/srvkm/env/linux/mmap.c b/eurasia_km/services4/srvkm/env/linux/mmap.c
index ab9a902..c31b83a 100644
--- a/eurasia_km/services4/srvkm/env/linux/mmap.c
+++ b/eurasia_km/services4/srvkm/env/linux/mmap.c
@@ -380,6 +380,7 @@ create_gem_wrapper(struct drm_device *dev, LinuxMemArea *psLinuxMemArea,
struct page **pages = NULL;
unsigned long paddr = 0;
int i, npages = PAGE_ALIGN(ui32ByteSize) / PAGE_SIZE;
+ int srcnpages;
/* from GEM buffer object point of view, we are either mapping
@@ -427,7 +428,18 @@ create_gem_wrapper(struct drm_device *dev, LinuxMemArea *psLinuxMemArea,
break;
case LINUX_MEM_AREA_ALLOC_PAGES:
pages = kmalloc(sizeof(pages) * npages, GFP_KERNEL);
- for (i = 0; i < npages; i++) {
+ /*
+ * The number of pages allocated at NewAllocPagesLinuxMemArea
+ * [eurasia_km/services4/srvkm/env/linux/mm.c] is stored in
+ * psLinuxMemArea->ui32ByteSize.
+ * However, the number of pages required is not at times the
+ * same as calculated in BM_GetVirtualSize.
+ *
+ * Its ok to allocate a bigger array of pages, but let's not
+ * try to access the source array beyond the array bounds.
+ */
+ srcnpages = PAGE_ALIGN(psLinuxMemArea->ui32ByteSize) / PAGE_SIZE;
+ for (i = 0; i < srcnpages; i++) {
pages[i] = psLinuxMemArea->uData.sPageList.ppsPageList[i + PHYS_TO_PFN(ui32ByteOffset)];
}
break;