[PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
@ 2012-04-23  8:06 Xi Wang
  2012-04-23  8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
  2012-04-23  8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
  0 siblings, 2 replies; 5+ messages in thread
From: Xi Wang @ 2012-04-23  8:06 UTC (permalink / raw)
  To: Daniel Vetter, Keith Packard
  Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang,
	Chris Wilson, stable

On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.

This vulnerability was introduced in commit 8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index f51a696..7c50e58 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
 	struct drm_i915_gem_exec_object2 *exec2_list = NULL;
 	int ret;
 
-	if (args->buffer_count < 1) {
+	if (args->buffer_count < 1 ||
+	    args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
 		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
 		return -EINVAL;
 	}
-- 
1.7.5.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
  2012-04-23  8:06 [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
@ 2012-04-23  8:06 ` Xi Wang
  2012-04-23  8:18   ` Chris Wilson
  2012-04-23  8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
  1 sibling, 1 reply; 5+ messages in thread
From: Xi Wang @ 2012-04-23  8:06 UTC (permalink / raw)
  To: Daniel Vetter, Keith Packard
  Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang,
	Chris Wilson, stable

On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.

This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 7c50e58..de43194 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
 			return -EINVAL;
 		}
 
+		if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
+			DRM_DEBUG("execbuf with %u cliprects\n",
+				  args->num_cliprects);
+			return -EINVAL;
+		}
 		cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
 				    GFP_KERNEL);
 		if (cliprects == NULL) {
-- 
1.7.5.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
  2012-04-23  8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
@ 2012-04-23  8:18   ` Chris Wilson
  0 siblings, 0 replies; 5+ messages in thread
From: Chris Wilson @ 2012-04-23  8:18 UTC (permalink / raw)
  To: Xi Wang, Daniel Vetter, Keith Packard
  Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang, stable

On Mon, 23 Apr 2012 04:06:42 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->num_cliprects from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
> 
> This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
> allocation for execbuffer object list").
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
  2012-04-23  8:06 [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
  2012-04-23  8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
@ 2012-04-23  8:18 ` Chris Wilson
  2012-04-23 20:44   ` Daniel Vetter
  1 sibling, 1 reply; 5+ messages in thread
From: Chris Wilson @ 2012-04-23  8:18 UTC (permalink / raw)
  To: Xi Wang, Daniel Vetter, Keith Packard
  Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang, stable

On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->buffer_count from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
> 
> This vulnerability was introduced in commit 8408c282 ("drm/i915:
> First try a normal large kmalloc for the temporary exec buffers").
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
  2012-04-23  8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
@ 2012-04-23 20:44   ` Daniel Vetter
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel Vetter @ 2012-04-23 20:44 UTC (permalink / raw)
  To: Chris Wilson
  Cc: Xi Wang, Daniel Vetter, Keith Packard, security, intel-gfx,
	linux-kernel, stable, dri-devel

On Mon, Apr 23, 2012 at 09:18:25AM +0100, Chris Wilson wrote:
> On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> > On 32-bit systems, a large args->buffer_count from userspace via ioctl
> > may overflow the allocation size, leading to out-of-bounds access.
> > 
> > This vulnerability was introduced in commit 8408c282 ("drm/i915:
> > First try a normal large kmalloc for the temporary exec buffers").
> > 
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > Cc: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: stable@vger.kernel.org
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Both patches picked up for -fixes, thanks.
-Daniel
-- 
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-04-23 20:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-23  8:06 [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
2012-04-23  8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
2012-04-23  8:18   ` Chris Wilson
2012-04-23  8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
2012-04-23 20:44   ` Daniel Vetter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox