Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
core: add overflow check in mobj_reg_shm_alloc()
In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory would be a small memory block, while num_pages would be large, which could lead to a generous memcpy() when copying the pages in internal memory, the outcome of this depends on memory mapping. Note: no attack path are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability. This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static function that performs the same computation, but returns 0 in case of integer overflow. The call site is updated to return an error status should this situation happen. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.3] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
- Loading branch information