mtk: ged: heapoverflow fix

Patch Type:
  Customer Request
CR ID:
  ALPS03342077
Severity:
  Critical
Description:
  [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow)
  [[Title for Customer]]
  [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow)
  [[Problem Description]]
  [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow)
  [[Potential Impa*** of the solution]]
  N/A
  [[Modules to be verified after taking p***h]]
  N/A
  [[問題標題]]
  [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow)
  [[問題現象]]
  [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow)
  [[解法可能帶來的影響]]
  (請填寫於此行下方，並描述如果合入這個p***h可能會有什麼trade off的改變，如perfo******e降低、UI改變等等)
  N/A
  [[建議驗證模塊]]
  (請填寫於此行下方，並建議客戶合了此p***h後要驗證哪些module或feature)
  N/A
  [[Title for Customer]]
  Security Vulnerability
  [[Problem Description]]
  ged_HeapOverflow / kernel exception
  [[Potential Impa*** of the solution]]
  none
  [[Modules to be verified after taking p***h]]
  OpenGL|ES releated
  [[問題標題]]
  Security Vulnerability
  [[問題現象]]
  ged_HeapOverflow / kernel exception
  [[解法可能帶來的影響]]
  (請填寫於此行下方，並描述如果合入這個p***h可能會有什麼trade off的改變，如perfo******e降低、UI改變等等)
  無
  [[建議驗證模塊]]
  (請填寫於此行下方，並建議客戶合了此p***h後要驗證哪些module或feature)
  OpenGL|ES 相關N/A

Associated Files:
  kernel-3.18/drivers/misc/mediatek/gpu/ged/src/ged_main.c

Signed-off-by: Mister Oyster <oysterized@gmail.com>

1 files changed, 19 insertions, 5 deletions

diff --git a/drivers/misc/mediatek/gpu/ged/src/ged_main.c b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
index 593d6d4a6..4b2579b40 100644
--- a/drivers/misc/mediatek/gpu/ged/src/ged_main.c
+++ b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
@@ -108,23 +108,36 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM)
             }
         }
 
+		/* Make sure that the UM will never break the KM.
+		 * Check IO size are both matched the size of IO sturct.
+		 */
+#define SET_FUNC_AND_CHECK(func, struct_name) do { \
+	pFunc = (ged_bridge_func_type *) func; \
+	if (sizeof(GED_BRIDGE_IN_##struct_name) > psBridgePackageKM->i32InBufferSize || \
+			sizeof(GED_BRIDGE_OUT_##struct_name) > psBridgePackageKM->i32OutBufferSize) { \
+		GED_LOGE("GED_BRIDGE_COMMAND_##cmd fail io_size:%d/%d, expected: %zu/%zu", \
+				psBridgePackageKM->i32InBufferSize, psBridgePackageKM->i32OutBufferSize, \
+				sizeof(GED_BRIDGE_IN_##struct_name), sizeof(GED_BRIDGE_OUT_##struct_name)); \
+		goto dispatch_exit; \
+	} } while (0)
+
         // we will change the below switch into a function pointer mapping table in the future
         switch(GED_GET_BRIDGE_ID(psBridgePackageKM->ui32FunctionID))
         {
         case GED_BRIDGE_COMMAND_LOG_BUF_GET:
-            pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_get;
+            SET_FUNC_AND_CHECK(ged_bridge_log_buf_get, LOGBUFGET);
             break;
         case GED_BRIDGE_COMMAND_LOG_BUF_WRITE:
-            pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_write;
+            SET_FUNC_AND_CHECK(ged_bridge_log_buf_write, LOGBUFWRITE);
             break;
         case GED_BRIDGE_COMMAND_LOG_BUF_RESET:
-            pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_reset;
+            SET_FUNC_AND_CHECK(ged_bridge_log_buf_reset, LOGBUFRESET);
             break;            
         case GED_BRIDGE_COMMAND_BOOST_GPU_FREQ:
-            pFunc = (ged_bridge_func_type*)ged_bridge_boost_gpu_freq;
+            SET_FUNC_AND_CHECK(ged_bridge_boost_gpu_freq, BOOSTGPUFREQ);
             break;
         case GED_BRIDGE_COMMAND_MONITOR_3D_FENCE:
-            pFunc = (ged_bridge_func_type*)ged_bridge_monitor_3D_fence;
+            SET_FUNC_AND_CHECK(ged_bridge_monitor_3D_fence, MONITOR3DFENCE);
             break;
         default:
             GED_LOGE("Unknown Bridge ID: %u\n", GED_GET_BRIDGE_ID(psBridgePackageKM->ui32FunctionID));
@@ -145,6 +158,7 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM)
         }
     }
 
+dispatch_exit:
     return ret;
 }