drm/exynos: g2d: prevent integer overflow in
authorJoonyoung Shim <jy0922.shim@samsung.com>
Mon, 23 Jan 2017 09:13:54 +0000 (18:13 +0900)
committerInki Dae <inki.dae@samsung.com>
Mon, 30 Jan 2017 23:50:35 +0000 (08:50 +0900)
commite41456bfc811f12b5dcda6f2d6849bdff68f6c0a
tree4403954b52737f4e9a46bc746859a0109b766af0
parent8646dcb8a0def1c1cd4c855e08b17abce0cdc5d1
drm/exynos: g2d: prevent integer overflow in

The size computations done in the ioctl function use an integer.
If userspace submits a request with req->cmd_nr or req->cmd_buf_nr
set to INT_MAX, the integer computations overflow later, leading
to potential (kernel) memory corruption.

Prevent this issue by enforcing a limit on the number of submitted
commands, so that we have enough headroom later for the size
computations.

Note that this change has no impact on the currently available
users in userspace, like e.g. libdrm/exynos.

While at it, also make a comment about the size computation more
detailed.

Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
drivers/gpu/drm/exynos/exynos_drm_g2d.c