From: Xi Wang <xi.wang@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>,
Keith Packard <keithp@keithp.com>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, security@kernel.org,
Xi Wang <xi.wang@gmail.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
stable@vger.kernel.org
Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
Date: Mon, 23 Apr 2012 04:06:42 -0400 [thread overview]
Message-ID: <1335168402-25174-2-git-send-email-xi.wang@gmail.com> (raw)
In-Reply-To: <1335168402-25174-1-git-send-email-xi.wang@gmail.com>
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 7c50e58..de43194 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
return -EINVAL;
}
+ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
+ DRM_DEBUG("execbuf with %u cliprects\n",
+ args->num_cliprects);
+ return -EINVAL;
+ }
cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
GFP_KERNEL);
if (cliprects == NULL) {
--
1.7.5.4
next prev parent reply other threads:[~2012-04-23 8:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-23 8:06 [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
2012-04-23 8:06 ` Xi Wang
2012-04-23 8:06 ` Xi Wang [this message]
2012-04-23 8:18 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Chris Wilson
2012-04-23 8:18 ` Chris Wilson
2012-04-23 8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
2012-04-23 8:18 ` Chris Wilson
2012-04-23 20:44 ` Daniel Vetter
2012-04-23 20:44 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1335168402-25174-2-git-send-email-xi.wang@gmail.com \
--to=xi.wang@gmail.com \
--cc=chris@chris-wilson.co.uk \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=keithp@keithp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.