34 lines
1.3 KiB
Diff
34 lines
1.3 KiB
Diff
Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
|
|
From: Li Qiang <liq3ea@gmail.com>
|
|
Date: Tue, 28 Mar 2017 03:10:53 +0000
|
|
Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
|
|
|
|
In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
|
|
'req->mip_levels' array. This array can be assigned any value from
|
|
the user space. As both the 'num_sizes' and the array is uint32_t,
|
|
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
|
|
used as the loop count. This can lead an oob write. Add the check of
|
|
'req->mip_levels' to avoid this.
|
|
|
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
|
---
|
|
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
|
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
|
@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
|
|
128;
|
|
|
|
num_sizes = 0;
|
|
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
|
|
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
|
|
+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
|
|
+ return -EINVAL;
|
|
num_sizes += req->mip_levels[i];
|
|
+ }
|
|
|
|
if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
|
|
num_sizes == 0)
|