38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From: Xi Wang <xi.wang@gmail.com>
|
|
Date: Mon, 23 Apr 2012 04:06:41 -0400
|
|
Message-Id: <1335168402-25174-1-git-send-email-xi.wang@gmail.com>
|
|
Subject: [PATCH v2 1/2] drm/i915: fix integer overflow in
|
|
i915_gem_execbuffer2()
|
|
|
|
On 32-bit systems, a large args->buffer_count from userspace via ioctl
|
|
may overflow the allocation size, leading to out-of-bounds access.
|
|
|
|
This vulnerability was introduced in commit 8408c282 ("drm/i915:
|
|
First try a normal large kmalloc for the temporary exec buffers").
|
|
|
|
Signed-off-by: Xi Wang <xi.wang@gmail.com>
|
|
Cc: Chris Wilson <chris@chris-wilson.co.uk>
|
|
Cc: stable@vger.kernel.org
|
|
[bwh: Backported to 3.2: adjust context]
|
|
---
|
|
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 3 ++-
|
|
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
index f51a696..7c50e58 100644
|
|
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
|
|
struct drm_i915_gem_exec_object2 *exec2_list = NULL;
|
|
int ret;
|
|
|
|
- if (args->buffer_count < 1) {
|
|
+ if (args->buffer_count < 1 ||
|
|
+ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
|
|
DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
|
|
return -EINVAL;
|
|
}
|
|
--
|
|
1.7.5.4
|
|
|