From 79389f0814fc1a24483ce3b194362f8f12fd882d Mon Sep 17 00:00:00 2001 From: Pauli Nieminen Date: Wed, 23 Nov 2011 21:06:25 +0200 Subject: [PATCH] gfx: pvr: Move ioctl number check before first use Driver is using user provided ioctl number before checking if it is in valid range. That makes it possible to force kernel to read memory past the end of ioctl information array. Signed-off-by: Pauli Nieminen Acked-by: Imre Deak Signed-off-by: Kirill A. Shutemov --- .../mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c b/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c index c161d43..6f1e2dd 100644 --- a/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c +++ b/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c @@ -3850,6 +3850,13 @@ IMG_INT BridgedDispatchKM(PVRSRV_PER_PROCESS_DATA * psPerProc, IMG_INT err = -EFAULT; PVRSRV_ERROR pvr_err = PVRSRV_OK; + if(ui32BridgeID >= (BRIDGE_DISPATCH_TABLE_ENTRY_COUNT)) + { + PVR_DPF((PVR_DBG_ERROR, "%s: ui32BridgeID = %d is out if range!", + __FUNCTION__, ui32BridgeID)); + goto return_fault; + } + dte = &g_BridgeDispatchTable[ui32BridgeID]; #if defined(DEBUG_TRACE_BRIDGE_KM) @@ -3953,12 +3960,6 @@ IMG_INT BridgedDispatchKM(PVRSRV_PER_PROCESS_DATA * psPerProc, psBridgeOut = psBridgePackageKM->pvParamOut; #endif - if(ui32BridgeID >= (BRIDGE_DISPATCH_TABLE_ENTRY_COUNT)) - { - PVR_DPF((PVR_DBG_ERROR, "%s: ui32BridgeID = %d is out if range!", - __FUNCTION__, ui32BridgeID)); - goto return_fault; - } pfBridgeHandler = (BridgeWrapperFunction)dte->pfFunction; err = pfBridgeHandler(ui32BridgeID, psBridgeIn, -- 2.7.4