From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xi Wang Subject: [PATCH 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Date: Fri, 6 Apr 2012 08:58:19 -0400 Message-ID: <1333717099-32679-2-git-send-email-xi.wang@gmail.com> References: <1333717099-32679-1-git-send-email-xi.wang@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail-qa0-f41.google.com (mail-qa0-f41.google.com [209.85.216.41]) by gabe.freedesktop.org (Postfix) with ESMTP id 1E5E39E793 for ; Fri, 6 Apr 2012 05:58:49 -0700 (PDT) Received: by qafl39 with SMTP id l39so433430qaf.14 for ; Fri, 06 Apr 2012 05:58:48 -0700 (PDT) In-Reply-To: <1333717099-32679-1-git-send-email-xi.wang@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Keith Packard , Daniel Vetter Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org A large args->num_cliprects from userspace may overflow the allocation size, leading to out-of-bounds access. | i915_gem_do_execbuffer() | i915_gem_execbuffer() Use kmalloc_array() to avoid that. Signed-off-by: Xi Wang --- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 19962bd..607be3d 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -1133,8 +1133,8 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, return -EINVAL; } - cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects), - GFP_KERNEL); + cliprects = kmalloc_array(args->num_cliprects, sizeof(*cliprects), + GFP_KERNEL); if (cliprects == NULL) { ret = -ENOMEM; goto pre_mutex_err; -- 1.7.5.4