diff options
author | Archana Sriram <apsrir@codeaurora.org> | 2017-01-06 17:34:57 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-01-18 21:36:43 -0800 |
commit | ec4cee0b9415bc3cc011cf216a0a3a680d10b481 (patch) | |
tree | 4a6b8fcbdafb92dfd33aab60c4079c9f40093b02 /libmemtrack | |
parent | 9b50abe92fa5ba8a9afce95ee355978aa5b41d3f (diff) | |
download | display-ec4cee0b9415bc3cc011cf216a0a3a680d10b481.tar.gz |
libmemtrack: Fix integer overflow in kgsl function
In the kgsl function which gets memory info for a
pid, there could be possibility of integer overflow
in operations with size, mapsize, accounted_size,
and unaccounted_size due to which result might be
smaller than these values. External inputs size and
mapsize are verified, and overflow check has been added.
CRs-Fixed: 1103020
Change-Id: Ic450e990598777591739635facc08fb7a2e477f9
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Diffstat (limited to 'libmemtrack')
-rw-r--r-- | libmemtrack/kgsl.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/libmemtrack/kgsl.c b/libmemtrack/kgsl.c index c3aa86ef..877b54ee 100644 --- a/libmemtrack/kgsl.c +++ b/libmemtrack/kgsl.c @@ -93,19 +93,31 @@ int kgsl_memtrack_get_memory(pid_t pid, enum memtrack_type type, continue; } + if (size == 0) + return -EINVAL; + + if (unaccounted_size + size < size) + return -ERANGE; + if (type == MEMTRACK_TYPE_GL && strcmp(line_type, "gpumem") == 0) { if (flags[6] == 'Y') { + if (accounted_size + mapsize < accounted_size) + return -ERANGE; + accounted_size += mapsize; - unaccounted_size += size - mapsize; - } else - unaccounted_size += size; + if (mapsize > size) + return -EINVAL; + + unaccounted_size += size - mapsize; + } else + unaccounted_size += size; } else if (type == MEMTRACK_TYPE_GRAPHICS && strcmp(line_type, "ion") == 0) { if (strcmp(line_usage, "egl_surface") == 0) unaccounted_size += size; else if (egl_surface_count == 0) - unaccounted_size += size / (egl_image_count ? egl_image_count : 1); + unaccounted_size += size / (egl_image_count ? egl_image_count : 1); } } |