39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From: Xi Wang <xi.wang@gmail.com>
|
|
Date: Mon, 23 Apr 2012 04:06:42 -0400
|
|
Message-Id: <1335168402-25174-2-git-send-email-xi.wang@gmail.com>
|
|
Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in
|
|
i915_gem_do_execbuffer()
|
|
|
|
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
|
|
may overflow the allocation size, leading to out-of-bounds access.
|
|
|
|
This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
|
|
allocation for execbuffer object list").
|
|
|
|
Signed-off-by: Xi Wang <xi.wang@gmail.com>
|
|
Cc: Chris Wilson <chris@chris-wilson.co.uk>
|
|
Cc: stable@vger.kernel.org
|
|
---
|
|
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 5 +++++
|
|
1 files changed, 5 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
index 7c50e58..de43194 100644
|
|
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
|
|
return -EINVAL;
|
|
}
|
|
|
|
+ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
|
|
+ DRM_DEBUG("execbuf with %u cliprects\n",
|
|
+ args->num_cliprects);
|
|
+ return -EINVAL;
|
|
+ }
|
|
cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
|
|
GFP_KERNEL);
|
|
if (cliprects == NULL) {
|
|
--
|
|
1.7.5.4
|
|
|