shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: drivers: gpu: drm: fix bugs encountered while fuzzing

Browse Source 
DRM framework does not have upper bound on number of open
file descriptors, this resulted in exhaustion
of file descriptors while fuzzing. Also, adding a
upper bound on memory allocation for
drm_propert_blob structure.

Signed-off-by: Shashank Babu Chinta Venkata <sbchin@codeaurora.org>
Bug: 139653858
Change-Id: I42bd3696371db6ae37789e3f7f43db045e166898
This commit is contained in:
Shashank Babu Chinta Venkata
2019-09-09 17:48:16 -07:00
committed by Alistair Delva
parent 67eaae5d74
commit 7017a09c4d
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/gpu/drm/drm_file.c
View File

@@ -46,6 +46,8 @@
/* from BKL pushdown */
DEFINE_MUTEX(drm_global_mutex);
#define MAX_DRM_OPEN_COUNT 128
/**
* DOC: file operations
*
@@ -322,6 +324,11 @@ int drm_open(struct inode *inode, struct file *filp)
if (!dev->open_count++)
need_setup = 1;
if (dev->open_count >= MAX_DRM_OPEN_COUNT) {
retcode = -EPERM;
goto err_undo;
}
/* share address_space across all char-devs of a single device */
filp->f_mapping = dev->anon_inode->i_mapping;

17
drivers/gpu/drm/drm_property.c
View File

@@ -26,6 +26,9 @@
#include "drm_crtc_internal.h"
#define MAX_BLOB_PROP_SIZE (PAGE_SIZE * 30)
#define MAX_BLOB_PROP_COUNT 250
/**
* DOC: overview
*
@@ -556,7 +559,8 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
struct drm_property_blob *blob;
int ret;
if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
if (!length || length > MAX_BLOB_PROP_SIZE -
sizeof(struct drm_property_blob))
return ERR_PTR(-EINVAL);
blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
@@ -782,12 +786,21 @@ int drm_mode_createblob_ioctl(struct drm_device *dev,
void *data, struct drm_file *file_priv)
{
struct drm_mode_create_blob *out_resp = data;
struct drm_property_blob *blob;
struct drm_property_blob *blob, *bt;
int ret = 0;
u32 count = 0;
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
mutex_lock(&dev->mode_config.blob_lock);
list_for_each_entry(bt, &file_priv->blobs, head_file)
count++;
mutex_unlock(&dev->mode_config.blob_lock);
if (count >= MAX_BLOB_PROP_COUNT)
return -EOPNOTSUPP;
blob = drm_property_create_blob(dev, out_resp->length, NULL);
if (IS_ERR(blob))
return PTR_ERR(blob);