From 5dec6c2a0b1693a51f7a5ab8c8667fb545e535ac Mon Sep 17 00:00:00 2001
From: Jack Diver <diverj@google.com>
Date: Wed, 30 Aug 2023 10:32:12 +0000
Subject: mali_kbase: platform: Fix integer overflow

Fix potential integer overflow within buffer liveness ioctl.

Bug: 296984851
Test: N/A
Change-Id: Ib1c9ee25a89b0a39ec905f109ee2c57c502428db
(cherry picked from https://partner-android-review.googlesource.com/q/commit:02e5329e2e3f4af00f51560895b5bbe87fe824ef)
Signed-off-by: Jack Diver <diverj@google.com>
---
 mali_kbase/platform/pixel/pixel_gpu_slc.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'mali_kbase')

diff --git a/mali_kbase/platform/pixel/pixel_gpu_slc.c b/mali_kbase/platform/pixel/pixel_gpu_slc.c
index eebdeb1..c7ec0c9 100644
--- a/mali_kbase/platform/pixel/pixel_gpu_slc.c
+++ b/mali_kbase/platform/pixel/pixel_gpu_slc.c
@@ -308,25 +308,34 @@ static void gpu_slc_liveness_update(struct kbase_context* kctx,
 int gpu_pixel_handle_buffer_liveness_update_ioctl(struct kbase_context* kctx,
                                                   struct kbase_ioctl_buffer_liveness_update* update)
 {
-	int err = 0;
+	int err = -EINVAL;
 	struct gpu_slc_liveness_update_info info;
-	u64* buff;
+	u64* buff = NULL;
+	u64 total_buff_size;
 
 	/* Compute the sizes of the user space arrays that we need to copy */
 	u64 const buffer_info_size = sizeof(u64) * update->buffer_count;
 	u64 const live_ranges_size =
 	    sizeof(struct kbase_pixel_gpu_slc_liveness_mark) * update->live_ranges_count;
 
-	/* Nothing to do */
+	/* Guard against overflows and empty sizes */
 	if (!buffer_info_size || !live_ranges_size)
 		goto done;
-
+	if (U64_MAX / sizeof(u64) < update->buffer_count)
+		goto done;
+	if (U64_MAX / sizeof(struct kbase_pixel_gpu_slc_liveness_mark) < update->live_ranges_count)
+		goto done;
 	/* Guard against nullptr */
 	if (!update->live_ranges_address || !update->buffer_va_address || !update->buffer_sizes_address)
 		goto done;
+	/* Calculate the total buffer size required and detect overflows */
+	if ((U64_MAX - live_ranges_size) / 2 < buffer_info_size)
+		goto done;
+
+	total_buff_size = buffer_info_size * 2 + live_ranges_size;
 
 	/* Allocate the memory we require to copy from user space */
-	buff = kmalloc(buffer_info_size * 2 + live_ranges_size, GFP_KERNEL);
+	buff = kmalloc(total_buff_size, GFP_KERNEL);
 	if (buff == NULL) {
 		dev_err(kctx->kbdev->dev, "pixel: failed to allocate buffer for liveness update");
 		err = -ENOMEM;
-- 
cgit v1.2.3