libmemtrack: Fix integer overflow in kgsl function

In the kgsl function which gets memory info for a pid, there could be possibility of integer overflow in operations with size, mapsize, accounted_size, and unaccounted_size due to which result might be smaller than these values. External inputs size and mapsize are verified, and overflow check has been added. CRs-Fixed: 1103020 Change-Id: Ic450e990598777591739635facc08fb7a2e477f9 Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
2017-01-06 17:34:57 +05:30 · 2017-01-06 17:34:57 +05:30 · 2428bc4912
parent 3dfb72afcb
commit 2428bc4912
1 changed files with 17 additions and 5 deletions
--- a/libmemtrack/kgsl.c
+++ b/libmemtrack/kgsl.c
@ -93,19 +93,31 @@ int kgsl_memtrack_get_memory(pid_t pid, enum memtrack_type type,
            continue;
        }

+        if (size == 0)
+            return -EINVAL;
+
+        if (unaccounted_size + size < size)
+            return -ERANGE;
+
        if (type == MEMTRACK_TYPE_GL && strcmp(line_type, "gpumem") == 0) {

            if (flags[6] == 'Y') {
-                accounted_size += mapsize;
-		unaccounted_size += size - mapsize;
-	    } else
-                unaccounted_size += size;
+                if (accounted_size + mapsize < accounted_size)
+                    return -ERANGE;

+                accounted_size += mapsize;
+
+                if (mapsize > size)
+                    return -EINVAL;
+
+                unaccounted_size += size - mapsize;
+            } else
+                unaccounted_size += size;
        } else if (type == MEMTRACK_TYPE_GRAPHICS && strcmp(line_type, "ion") == 0) {
            if (strcmp(line_usage, "egl_surface") == 0)
                unaccounted_size += size;
            else if (egl_surface_count == 0)
-		unaccounted_size += size / (egl_image_count ? egl_image_count : 1);
+                unaccounted_size += size / (egl_image_count ? egl_image_count : 1);
        }
    }