From: Chris Wilson <chris@chris-wilson.co.uk>
To: Dan Carpenter <error27@gmail.com>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: bug report: potential integer overflow in validate_exec_list()
Date: Mon, 22 Nov 2010 10:35:10 +0000 [thread overview]
Message-ID: <849307$afcbkr@azsmga001.ch.intel.com> (raw)
In-Reply-To: <20101122095642.GD1522@bicker>
On Mon, 22 Nov 2010 12:56:42 +0300, Dan Carpenter <error27@gmail.com> wrote:
> On Sun, Nov 21, 2010 at 09:23:46AM +0000, Chris Wilson wrote:
> > Yes, it could. Not through normal use since relocation count can not be
> > more than buffer length, hence realistically capped at around 4k entries.
> > However...
> >
>
> If the user deliberately made it wrap to get past the access_ok() check
> then it would just return -ENOENT in i915_gem_execbuffer_relocate()
> right?
>
> It doesn't look like there are any security implications but I just
> wanted to be sure.
I think it did have a security implication, because it would only validate
the first x bytes of the user pointer but then continue to read/write
beyond. It would have to be a fairly crafty user! I've queued a fix in
the drm-intel-fixes branch:
commit d1d788302e8c76e5138dfa61f4a5eee4f72a748f
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Sun Nov 21 09:23:48 2010 +0000
drm/i915: Prevent integer overflow when validating the execbuffer
Commit 2549d6c2 removed the vmalloc used for temporary storage of the
relocation lists used during execbuffer. However, our use of vmalloc was
being protected by an integer overflow check which we do want to
preserve!
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Many thanks,
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
prev parent reply other threads:[~2010-11-22 10:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-20 18:32 bug report: potential integer overflow in validate_exec_list() Dan Carpenter
2010-11-21 9:23 ` Chris Wilson
2010-11-22 9:56 ` Dan Carpenter
2010-11-22 10:35 ` Chris Wilson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='849307$afcbkr@azsmga001.ch.intel.com' \
--to=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=error27@gmail.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox