We need to add a separate size check for this IOCTL's parameters, since
they are passed by a pointer in the IOCTL's input structure. We do check
the size for all IOCTL's input structure already, but we need to cover
such derefenced objects separately.
Increase the driver's minor version too. This will still let the current
user space libraries work, except for this IOCTL, which was broken
before anyway. A related user space library fix will be submitted to
make the IOCTL work.
Signed-off-by: Imre Deak <imre.deak@intel.com>
Tested-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
IMG_UINT32 ui32BridgeFlags;
IMG_HANDLE hDevCookie;
IMG_UINT32 ui32ArraySize;
+ IMG_UINT32 entry_size;
PVRSRV_SGX_HWPERF_CB_ENTRY *psHWPerfCBData;
} PVRSRV_BRIDGE_IN_SGX_READ_HWPERF_CB;
PVRSRV_SGX_HWPERF_CB_ENTRY *psAllocated;
IMG_HANDLE hAllocatedHandle;
IMG_UINT32 ui32AllocatedSize;
+ size_t entry_size;
PVRSRV_BRIDGE_ASSERT_CMD(ui32BridgeID, PVRSRV_BRIDGE_SGX_READ_HWPERF_CB);
return 0;
}
- ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize *
- sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+ entry_size = sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+ if (psSGXReadHWPerfCBIN->entry_size != entry_size)
+ return -EINVAL;
+
+ ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize * entry_size;
ASSIGN_AND_EXIT_ON_ERROR(psSGXReadHWPerfCBOUT->eError,
OSAllocMem(PVRSRV_OS_PAGEABLE_HEAP,
ui32AllocatedSize,
#define _PVR_DRM_H_
#define PVR_ABI_VER_MAJOR 2
-#define PVR_ABI_VER_MINOR 0
+#define PVR_ABI_VER_MINOR 1
#endif