On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter <error27@xxxxxxxxx> wrote: > Hello Chris, > > Is there an integer overflow in validate_exec_list()? > > drivers/gpu/drm/i915/i915_gem.c > 3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry); > 3634 > 3635 if (!access_ok(VERIFY_READ, ptr, length)) > 3636 return -EFAULT; > 3637 > > My concern is that if relocation_count is larger than 0x8000000 the > multiplication can wrap. Yes, it could. Not through normal use since relocation count can not be more than buffer length, hence realistically capped at around 4k entries. However... Thanks, -Chris -- Chris Wilson, Intel Open Source Technology Centre _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
