From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <error27@gmail.com>
Subject: bug report: potential integer overflow in validate_exec_list()
Date: Sat, 20 Nov 2010 21:32:07 +0300
Message-ID: <20101120183207.GC1522@bicker>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

Hello Chris,

Is there an integer overflow in validate_exec_list()?

drivers/gpu/drm/i915/i915_gem.c
  3633          size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
  3634  
  3635          if (!access_ok(VERIFY_READ, ptr, length))
  3636                  return -EFAULT;
  3637  

My concern is that if relocation_count is larger than 0x8000000 the
multiplication can wrap.

This code was added in 2549d6c2 "drm/i915: Avoid vmallocing a buffer for
the relocations"

regards,
dan carpenter