From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Wilson <chris@chris-wilson.co.uk>
Subject: Re: bug report: potential integer overflow in validate_exec_list()
Date: Sun, 21 Nov 2010 09:23:46 +0000
Message-ID: <849307$af353c@azsmga001.ch.intel.com>
References: <20101120183207.GC1522@bicker>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
In-Reply-To: <20101120183207.GC1522@bicker>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: Dan Carpenter <error27@gmail.com>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter <error27@gmail.com> wrote:
> Hello Chris,
> 
> Is there an integer overflow in validate_exec_list()?
> 
> drivers/gpu/drm/i915/i915_gem.c
>   3633          size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
>   3634  
>   3635          if (!access_ok(VERIFY_READ, ptr, length))
>   3636                  return -EFAULT;
>   3637  
> 
> My concern is that if relocation_count is larger than 0x8000000 the
> multiplication can wrap.

Yes, it could. Not through normal use since relocation count can not be
more than buffer length, hence realistically capped at around 4k entries.
However... 

Thanks,
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre