[patch 4/4] drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()

From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Airlie <airlied@linux.ie>
Cc: security@kernel.org, "Marek Olšák" <marek.olsak@amd.com>,
	"Ilja Van Sprundel" <ivansprundel@ioactive.com>,
	dri-devel@lists.freedesktop.org,
	"Alex Deucher" <alexander.deucher@amd.com>,
	"Leo Liu" <leo.liu@amd.com>,
	"Christian König" <christian.koenig@amd.com>,
	"monk.liu" <monk.liu@amd.com>
Subject: [patch 4/4] drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()
Date: Wed, 23 Sep 2015 14:00:59 +0300	[thread overview]
Message-ID: <20150923110059.GD16158@mwanda> (raw)
In-Reply-To: <13E61BCA7787794E89BDF39B8DE40C024D12E9F63F@ioaexchange.ioactive.local>

args->size is a u64.  arg->pitch and args->height are u32.  The
multiplication will overflow instead of using the high 32 bits as
intended.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index dac14de..2023055 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -656,7 +656,7 @@ int amdgpu_mode_dumb_create(struct drm_file *file_priv,
 	int r;
 
 	args->pitch = amdgpu_align_pitch(adev, args->width, args->bpp, 0) * ((args->bpp + 1) / 8);
-	args->size = args->pitch * args->height;
+	args->size = (u64)args->pitch * args->height;
 	args->size = ALIGN(args->size, PAGE_SIZE);
 
 	r = amdgpu_gem_object_create(adev, args->size, 0,
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
