From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Tue, 22 Sep 2015 14:32:08 +0000 Subject: [patch 4/4 v2] drm/qxl: integer overflow in qxl_alloc_surf_ioctl() Message-Id: <20150922143208.GA2319@mwanda> List-Id: References: <421515033.28673933.1442569564307.JavaMail.zimbra@redhat.com> In-Reply-To: <421515033.28673933.1442569564307.JavaMail.zimbra@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Airlie Cc: Dave Airlie , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Frediano Ziglio The size calculation can overflow. I don't know if this leads to memory corruption, but it causes a static checker warning. Signed-off-by: Dan Carpenter --- v2: I don't know think the size is capped anywhere. In my first version of this patch, I introduced a divide by zero bug. diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index b2db482..49b3158 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -396,12 +396,14 @@ static int qxl_alloc_surf_ioctl(struct drm_device *dev, void *data, struct qxl_bo *qobj; int handle; int ret; - int size, actual_stride; + u64 size, actual_stride; struct qxl_surface surf; /* work out size allocate bo with handle */ actual_stride = param->stride < 0 ? -param->stride : param->stride; size = actual_stride * param->height + actual_stride; + if (size > INT_MAX) + return -EINVAL; surf.format = param->format; surf.width = param->width; From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch 4/4 v2] drm/qxl: integer overflow in qxl_alloc_surf_ioctl() Date: Tue, 22 Sep 2015 17:32:08 +0300 Message-ID: <20150922143208.GA2319@mwanda> References: <421515033.28673933.1442569564307.JavaMail.zimbra@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by gabe.freedesktop.org (Postfix) with ESMTPS id BEF3A6E625 for ; Tue, 22 Sep 2015 07:32:22 -0700 (PDT) Content-Disposition: inline In-Reply-To: <421515033.28673933.1442569564307.JavaMail.zimbra@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: David Airlie Cc: Dave Airlie , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Frediano Ziglio List-Id: dri-devel@lists.freedesktop.org VGhlIHNpemUgY2FsY3VsYXRpb24gY2FuIG92ZXJmbG93LiAgSSBkb24ndCBrbm93IGlmIHRoaXMg bGVhZHMgdG8KbWVtb3J5IGNvcnJ1cHRpb24sIGJ1dCBpdCBjYXVzZXMgYSBzdGF0aWMgY2hlY2tl ciB3YXJuaW5nLgoKU2lnbmVkLW9mZi1ieTogRGFuIENhcnBlbnRlciA8ZGFuLmNhcnBlbnRlckBv cmFjbGUuY29tPgotLS0KdjI6IEkgZG9uJ3Qga25vdyB0aGluayB0aGUgc2l6ZSBpcyBjYXBwZWQg YW55d2hlcmUuICBJbiBteSBmaXJzdCB2ZXJzaW9uCm9mIHRoaXMgcGF0Y2gsIEkgaW50cm9kdWNl ZCBhIGRpdmlkZSBieSB6ZXJvIGJ1Zy4KCmRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vcXhs L3F4bF9pb2N0bC5jIGIvZHJpdmVycy9ncHUvZHJtL3F4bC9xeGxfaW9jdGwuYwppbmRleCBiMmRi NDgyLi40OWIzMTU4IDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vcXhsL3F4bF9pb2N0bC5j CisrKyBiL2RyaXZlcnMvZ3B1L2RybS9xeGwvcXhsX2lvY3RsLmMKQEAgLTM5NiwxMiArMzk2LDE0 IEBAIHN0YXRpYyBpbnQgcXhsX2FsbG9jX3N1cmZfaW9jdGwoc3RydWN0IGRybV9kZXZpY2UgKmRl diwgdm9pZCAqZGF0YSwKIAlzdHJ1Y3QgcXhsX2JvICpxb2JqOwogCWludCBoYW5kbGU7CiAJaW50 IHJldDsKLQlpbnQgc2l6ZSwgYWN0dWFsX3N0cmlkZTsKKwl1NjQgc2l6ZSwgYWN0dWFsX3N0cmlk ZTsKIAlzdHJ1Y3QgcXhsX3N1cmZhY2Ugc3VyZjsKIAogCS8qIHdvcmsgb3V0IHNpemUgYWxsb2Nh dGUgYm8gd2l0aCBoYW5kbGUgKi8KIAlhY3R1YWxfc3RyaWRlID0gcGFyYW0tPnN0cmlkZSA8IDAg PyAtcGFyYW0tPnN0cmlkZSA6IHBhcmFtLT5zdHJpZGU7CiAJc2l6ZSA9IGFjdHVhbF9zdHJpZGUg KiBwYXJhbS0+aGVpZ2h0ICsgYWN0dWFsX3N0cmlkZTsKKwlpZiAoc2l6ZSA+IElOVF9NQVgpCisJ CXJldHVybiAtRUlOVkFMOwogCiAJc3VyZi5mb3JtYXQgPSBwYXJhbS0+Zm9ybWF0OwogCXN1cmYu d2lkdGggPSBwYXJhbS0+d2lkdGg7Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVk ZXNrdG9wLm9yZwpodHRwOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8v ZHJpLWRldmVsCg==