From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 29 Oct 2015 13:37:54 +0000
Subject: [patch] drm: crtc: integer overflow in drm_property_create_blob()
Message-Id: <20151029133754.GA2862@mwanda>
List-Id: <kernel-janitors.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: David Airlie <airlied@linux.ie>
Cc: kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org

The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.

Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index e54660a..627b2d0 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4107,7 +4107,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
 	struct drm_property_blob *blob;
 	int ret;
 
-	if (!length)
+	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
 	blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: [patch] drm: crtc: integer overflow in drm_property_create_blob()
Date: Thu, 29 Oct 2015 16:37:54 +0300
Message-ID: <20151029133754.GA2862@mwanda>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
 by gabe.freedesktop.org (Postfix) with ESMTPS id B091A6EBF6
 for <dri-devel@lists.freedesktop.org>; Thu, 29 Oct 2015 06:38:05 -0700 (PDT)
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: David Airlie <airlied@linux.ie>
Cc: kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

VGhlIHNpemUgaGVyZSBjb21lcyBmcm9tIHRoZSB1c2VyIHZpYSB0aGUgaW9jdGwsIGl0IGlzIGEg
bnVtYmVyIGJldHdlZW4KMS11MzJtYXggc28gdGhlIGFkZGl0aW9uIGhlcmUgY291bGQgb3ZlcmZs
b3cgb24gMzIgYml0IHN5c3RlbXMuCgpGaXhlczogZjQ1M2JhMDQ2MDc0ICgnRFJNOiBhZGQgbW9k
ZSBzZXR0aW5nIHN1cHBvcnQnKQpTaWduZWQtb2ZmLWJ5OiBEYW4gQ2FycGVudGVyIDxkYW4uY2Fy
cGVudGVyQG9yYWNsZS5jb20+CgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL2RybV9jcnRj
LmMgYi9kcml2ZXJzL2dwdS9kcm0vZHJtX2NydGMuYwppbmRleCBlNTQ2NjBhLi42MjdiMmQwIDEw
MDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vZHJtX2NydGMuYworKysgYi9kcml2ZXJzL2dwdS9k
cm0vZHJtX2NydGMuYwpAQCAtNDEwNyw3ICs0MTA3LDcgQEAgZHJtX3Byb3BlcnR5X2NyZWF0ZV9i
bG9iKHN0cnVjdCBkcm1fZGV2aWNlICpkZXYsIHNpemVfdCBsZW5ndGgsCiAJc3RydWN0IGRybV9w
cm9wZXJ0eV9ibG9iICpibG9iOwogCWludCByZXQ7CiAKLQlpZiAoIWxlbmd0aCkKKwlpZiAoIWxl
bmd0aCB8fCBsZW5ndGggPiBVTE9OR19NQVggLSBzaXplb2Yoc3RydWN0IGRybV9wcm9wZXJ0eV9i
bG9iKSkKIAkJcmV0dXJuIEVSUl9QVFIoLUVJTlZBTCk7CiAKIAlibG9iID0ga3phbGxvYyhzaXpl
b2Yoc3RydWN0IGRybV9wcm9wZXJ0eV9ibG9iKStsZW5ndGgsIEdGUF9LRVJORUwpOwpfX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpkcmktZGV2ZWwgbWFpbGlu
ZyBsaXN0CmRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cDovL2xpc3RzLmZyZWVk
ZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo=