Commit 8831acb9 authored Jun 20, 2024 by Justin Green Committed by Liu Chuang Jun 20, 2024

drm/mediatek: Add 0 size check to mtk_drm_gem_obj

mainline inclusion
from mainline-v6.10-rc1
commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S8E
CVE: CVE-2024-38549

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1e4350095e8ab2577ee05f8c3b044e661b5af9a0



--------------------------------

Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object
of 0 bytes. Currently, no such check exists and the kernel will panic if
a userspace application attempts to allocate a 0x0 GBM buffer.

Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and
verifying that we now return EINVAL.

Fixes: 119f5173 ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Justin Green <greenjustin@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/


Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Liu Chuang <liuchuang40@huawei.com>

parent 6990e866

drivers/gpu/drm/mediatek/mtk_drm_gem.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -21,6 +21,9 @@ static struct mtk_drm_gem_obj mtk_drm_gem_init(struct drm_device dev,

		size = round_up(size, PAGE_SIZE);

		if (size == 0)
		return ERR_PTR(-EINVAL);

		mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL);
		if (!mtk_gem_obj)
		return ERR_PTR(-ENOMEM);