From 36bd9c2d793fc31f6d5e6ab2ac14abbd9c62bcf9 Mon Sep 17 00:00:00 2001 From: lulu2 Date: Fri, 7 Jul 2017 15:28:51 +0800 Subject: mtk: ged: heapoverflow fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch Type: Customer Request CR ID: ALPS03342077 Severity: Critical Description: [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow) [[Title for Customer]] [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow) [[Problem Description]] [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow) [[Potential Impa*** of the solution]] N/A [[Modules to be verified after taking p***h]] N/A [[問題標題]] [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow) [[問題現象]] [Buganizer]Security Vulnerability 37205193 - A ***6797 driver bug(ged_HeapOverflow) [[解法可能帶來的影響]] (請填寫於此行下方,並描述如果合入這個p***h可能會有什麼trade off的改變,如perfo******e降低、UI改變等等) N/A [[建議驗證模塊]] (請填寫於此行下方,並建議客戶合了此p***h後要驗證哪些module或feature) N/A [[Title for Customer]] Security Vulnerability [[Problem Description]] ged_HeapOverflow / kernel exception [[Potential Impa*** of the solution]] none [[Modules to be verified after taking p***h]] OpenGL|ES releated [[問題標題]] Security Vulnerability [[問題現象]] ged_HeapOverflow / kernel exception [[解法可能帶來的影響]] (請填寫於此行下方,並描述如果合入這個p***h可能會有什麼trade off的改變,如perfo******e降低、UI改變等等) 無 [[建議驗證模塊]] (請填寫於此行下方,並建議客戶合了此p***h後要驗證哪些module或feature) OpenGL|ES 相關N/A Associated Files: kernel-3.18/drivers/misc/mediatek/gpu/ged/src/ged_main.c Signed-off-by: Mister Oyster --- drivers/misc/mediatek/gpu/ged/src/ged_main.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/drivers/misc/mediatek/gpu/ged/src/ged_main.c b/drivers/misc/mediatek/gpu/ged/src/ged_main.c index 593d6d4a6..4b2579b40 100644 --- a/drivers/misc/mediatek/gpu/ged/src/ged_main.c +++ b/drivers/misc/mediatek/gpu/ged/src/ged_main.c @@ -108,23 +108,36 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM) } } + /* Make sure that the UM will never break the KM. + * Check IO size are both matched the size of IO sturct. + */ +#define SET_FUNC_AND_CHECK(func, struct_name) do { \ + pFunc = (ged_bridge_func_type *) func; \ + if (sizeof(GED_BRIDGE_IN_##struct_name) > psBridgePackageKM->i32InBufferSize || \ + sizeof(GED_BRIDGE_OUT_##struct_name) > psBridgePackageKM->i32OutBufferSize) { \ + GED_LOGE("GED_BRIDGE_COMMAND_##cmd fail io_size:%d/%d, expected: %zu/%zu", \ + psBridgePackageKM->i32InBufferSize, psBridgePackageKM->i32OutBufferSize, \ + sizeof(GED_BRIDGE_IN_##struct_name), sizeof(GED_BRIDGE_OUT_##struct_name)); \ + goto dispatch_exit; \ + } } while (0) + // we will change the below switch into a function pointer mapping table in the future switch(GED_GET_BRIDGE_ID(psBridgePackageKM->ui32FunctionID)) { case GED_BRIDGE_COMMAND_LOG_BUF_GET: - pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_get; + SET_FUNC_AND_CHECK(ged_bridge_log_buf_get, LOGBUFGET); break; case GED_BRIDGE_COMMAND_LOG_BUF_WRITE: - pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_write; + SET_FUNC_AND_CHECK(ged_bridge_log_buf_write, LOGBUFWRITE); break; case GED_BRIDGE_COMMAND_LOG_BUF_RESET: - pFunc = (ged_bridge_func_type*)ged_bridge_log_buf_reset; + SET_FUNC_AND_CHECK(ged_bridge_log_buf_reset, LOGBUFRESET); break; case GED_BRIDGE_COMMAND_BOOST_GPU_FREQ: - pFunc = (ged_bridge_func_type*)ged_bridge_boost_gpu_freq; + SET_FUNC_AND_CHECK(ged_bridge_boost_gpu_freq, BOOSTGPUFREQ); break; case GED_BRIDGE_COMMAND_MONITOR_3D_FENCE: - pFunc = (ged_bridge_func_type*)ged_bridge_monitor_3D_fence; + SET_FUNC_AND_CHECK(ged_bridge_monitor_3D_fence, MONITOR3DFENCE); break; default: GED_LOGE("Unknown Bridge ID: %u\n", GED_GET_BRIDGE_ID(psBridgePackageKM->ui32FunctionID)); @@ -145,6 +158,7 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM) } } +dispatch_exit: return ret; } -- cgit v1.2.3