From ebcec19f5bb72ce29f229ecd43bb21fceee48dc4 Mon Sep 17 00:00:00 2001
From: Nirmal Abraham <nabrah@codeaurora.org>
Date: Tue, 17 Jun 2014 12:17:35 +0530
Subject: msm: mdss: validate input args of mdss_overlay_compat_ioctl

check if ovlist32 arg is valid before dereferencing it to
avoid NULL ptr or an invalid address access.

Change-Id: Ice0845ad0afdb20d7e101f114fc0a443d6aff19a
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_compat_utils.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'drivers')

diff --git a/drivers/video/fbdev/msm/mdss_compat_utils.c b/drivers/video/fbdev/msm/mdss_compat_utils.c
index 0a01751f4b96..dc54f6f59537 100644
--- a/drivers/video/fbdev/msm/mdss_compat_utils.c
+++ b/drivers/video/fbdev/msm/mdss_compat_utils.c
@@ -2454,6 +2454,7 @@ int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd,
 	struct mdp_overlay_list32 __user *ovlist32;
 	size_t layers_refs_sz, layers_sz, prepare_sz;
 	void __user *total_mem_chunk;
+	uint32_t num_overlays;
 	int ret;
 
 	if (!info || !info->par)
@@ -2492,12 +2493,14 @@ int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd,
 		break;
 	case MSMFB_OVERLAY_PREPARE:
 		ovlist32 = compat_ptr(arg);
+		if (get_user(num_overlays, &ovlist32->num_overlays)) {
+			pr_err("compat mdp prepare failed: invalid arg\n");
+			return -EFAULT;
+		}
 
-		layers_sz = ovlist32->num_overlays *
-					sizeof(struct mdp_overlay);
+		layers_sz = num_overlays * sizeof(struct mdp_overlay);
 		prepare_sz = sizeof(struct mdp_overlay_list);
-		layers_refs_sz = ovlist32->num_overlays *
-					sizeof(struct mdp_overlay *);
+		layers_refs_sz = num_overlays * sizeof(struct mdp_overlay *);
 
 		total_mem_chunk = compat_alloc_user_space(
 			prepare_sz + layers_refs_sz + layers_sz);
@@ -2510,7 +2513,7 @@ int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd,
 
 		layers_head = total_mem_chunk + prepare_sz;
 		mdss_compat_align_list(total_mem_chunk, layers_head,
-					ovlist32->num_overlays);
+					num_overlays);
 		ovlist = (struct mdp_overlay_list *)total_mem_chunk;
 
 		ret = __from_user_mdp_overlaylist(ovlist, ovlist32,
-- 
cgit v1.2.3