Skip to content
Snippets Groups Projects
Commit f7d474ad authored by Zhao Xuewen's avatar Zhao Xuewen
Browse files

msm: perf: validate input argument of ev_constraints functions 


Validate input argument before writing into
pmu_constraints_codes array.

CRs-Fixed: 975404

CVE-2016-0843 Bug:ANDROID-25801197

Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7
Signed-off-by: default avatarKishor PK <kpbhat@codeaurora.org>
parent 1e585f1b
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
arch/arm/mach-msm/perf_event_msm_krait_l2.c
+ 17
6
View file @ f7d474ad
/* /*
* Copyright (c) 2011, 2012 The Linux Foundation. All rights reserved. * Copyright (c) 2011,2012,2014,2016 The Linux Foundation. All rights reserved.
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and * it under the terms of the GNU General Public License version 2 and
...@@ -18,13 +18,15 @@ ...@@ -18,13 +18,15 @@
#include <mach/msm-krait-l2-accessors.h> #include <mach/msm-krait-l2-accessors.h>
#define PMU_CODES_SIZE 64
/* /*
* The L2 PMU is shared between all CPU's, so protect * The L2 PMU is shared between all CPU's, so protect
* its bitmap access. * its bitmap access.
*/ */
struct pmu_constraints { struct pmu_constraints {
u64 pmu_bitmap; u64 pmu_bitmap;
u8 codes[64]; u8 codes[PMU_CODES_SIZE];
raw_spinlock_t lock; raw_spinlock_t lock;
} l2_pmu_constraints = { } l2_pmu_constraints = {
.pmu_bitmap = 0, .pmu_bitmap = 0,
...@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event) ...@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
u8 group = evt_type & 0x0000F; u8 group = evt_type & 0x0000F;
u8 code = (evt_type & 0x00FF0) >> 4; u8 code = (evt_type & 0x00FF0) >> 4;
unsigned long flags; unsigned long flags;
u32 err = 0; int err = 0;
u64 bitmap_t; u64 bitmap_t;
u32 shift_idx; u32 shift_idx;
if (evt_prefix == L2_TRACECTR_PREFIX) if (evt_prefix == L2_TRACECTR_PREFIX)
return err; return err;
/* /*
...@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event) ...@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
shift_idx = ((reg * 4) + group); shift_idx = ((reg * 4) + group);
if (shift_idx >= PMU_CODES_SIZE) {
err = -EINVAL;
goto out;
}
bitmap_t = 1 << shift_idx; bitmap_t = 1 << shift_idx;
if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) { if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {
...@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event) ...@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
unsigned long flags; unsigned long flags;
u64 bitmap_t; u64 bitmap_t;
u32 shift_idx; u32 shift_idx;
int err = 1;
if (evt_prefix == L2_TRACECTR_PREFIX) if (evt_prefix == L2_TRACECTR_PREFIX)
return 1; return 1;
...@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event) ...@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
shift_idx = ((reg * 4) + group); shift_idx = ((reg * 4) + group);
if (shift_idx >= PMU_CODES_SIZE) {
err = -EINVAL;
goto out;
}
bitmap_t = 1 << shift_idx; bitmap_t = 1 << shift_idx;
/* Clear constraint bit. */ /* Clear constraint bit. */
...@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event) ...@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
/* Clear code. */ /* Clear code. */
l2_pmu_constraints.codes[shift_idx] = -1; l2_pmu_constraints.codes[shift_idx] = -1;
out:
raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags); raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);
return 1; return err;
} }
int get_num_events(void) int get_num_events(void)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment