From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: Re: bug report: potential integer overflow in validate_exec_list() Date: Mon, 22 Nov 2010 12:56:42 +0300 Message-ID: <20101122095642.GD1522@bicker> References: <20101120183207.GC1522@bicker> <849307$af353c@azsmga001.ch.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <849307$af353c@azsmga001.ch.intel.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Chris Wilson Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org List-Id: intel-gfx@lists.freedesktop.org On Sun, Nov 21, 2010 at 09:23:46AM +0000, Chris Wilson wrote: > On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter wrote: > > Hello Chris, > > > > Is there an integer overflow in validate_exec_list()? > > > > drivers/gpu/drm/i915/i915_gem.c > > 3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry); > > 3634 > > 3635 if (!access_ok(VERIFY_READ, ptr, length)) > > 3636 return -EFAULT; > > 3637 > > > > My concern is that if relocation_count is larger than 0x8000000 the > > multiplication can wrap. > > Yes, it could. Not through normal use since relocation count can not be > more than buffer length, hence realistically capped at around 4k entries. > However... > If the user deliberately made it wrap to get past the access_ok() check then it would just return -ENOENT in i915_gem_execbuffer_relocate() right? It doesn't look like there are any security implications but I just wanted to be sure. regards, dan carpenter