From: Chris Wilson <chris@chris-wilson.co.uk>
To: Xi Wang <xi.wang@gmail.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
Date: Fri, 06 Apr 2012 14:54:05 +0100 [thread overview]
Message-ID: <1333720475_271533@CP5-2952> (raw)
In-Reply-To: <B6B08A4C-2FEA-4C08-AB2F-4A99FB8D3786@gmail.com>
On Fri, 6 Apr 2012 09:46:46 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On Apr 6, 2012, at 9:36 AM, Chris Wilson wrote:
>
> > On Fri, 6 Apr 2012 08:58:18 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> >> A large args->buffer_count from userspace may overflow the allocation
> >> size, leading to out-of-bounds access.
> >>
> >> Use kmalloc_array() to avoid that.
> >
> > I can safely say that exec list larger than 4GiB is going to be an
> > illegal operation and would rather the ioctl failed outright with
> > EINVAL.
>
> On 32-bit platform?
On any platform. The largest it can legally be is a few tens of megabytes.
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
WARNING: multiple messages have this Message-ID (diff)
From: Chris Wilson <chris@chris-wilson.co.uk>
To: Xi Wang <xi.wang@gmail.com>
Cc: Keith Packard <keithp@keithp.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
Date: Fri, 06 Apr 2012 14:54:05 +0100 [thread overview]
Message-ID: <1333720475_271533@CP5-2952> (raw)
In-Reply-To: <B6B08A4C-2FEA-4C08-AB2F-4A99FB8D3786@gmail.com>
On Fri, 6 Apr 2012 09:46:46 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On Apr 6, 2012, at 9:36 AM, Chris Wilson wrote:
>
> > On Fri, 6 Apr 2012 08:58:18 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> >> A large args->buffer_count from userspace may overflow the allocation
> >> size, leading to out-of-bounds access.
> >>
> >> Use kmalloc_array() to avoid that.
> >
> > I can safely say that exec list larger than 4GiB is going to be an
> > illegal operation and would rather the ioctl failed outright with
> > EINVAL.
>
> On 32-bit platform?
On any platform. The largest it can legally be is a few tens of megabytes.
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
next prev parent reply other threads:[~2012-04-06 13:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-06 12:58 [PATCH 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
2012-04-06 12:58 ` Xi Wang
2012-04-06 12:58 ` [PATCH 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
2012-04-06 12:58 ` Xi Wang
2012-04-06 13:36 ` [PATCH 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
2012-04-06 13:46 ` Xi Wang
2012-04-06 13:54 ` Chris Wilson [this message]
2012-04-06 13:54 ` Chris Wilson
2012-04-06 14:01 ` Xi Wang
2012-04-06 14:01 ` Xi Wang
2012-04-06 14:44 ` Chris Wilson
2012-04-06 14:44 ` Chris Wilson
2012-04-06 18:17 ` Xi Wang
2012-04-06 19:40 ` Chris Wilson
2012-04-06 20:34 ` Xi Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1333720475_271533@CP5-2952 \
--to=chris@chris-wilson.co.uk \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.