On Sun, Nov 21, 2010 at 09:23:46AM +0000, Chris Wilson wrote: > On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter <error27@xxxxxxxxx> wrote: > > Hello Chris, > > > > Is there an integer overflow in validate_exec_list()? > > > > drivers/gpu/drm/i915/i915_gem.c > > 3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry); > > 3634 > > 3635 if (!access_ok(VERIFY_READ, ptr, length)) > > 3636 return -EFAULT; > > 3637 > > > > My concern is that if relocation_count is larger than 0x8000000 the > > multiplication can wrap. > > Yes, it could. Not through normal use since relocation count can not be > more than buffer length, hence realistically capped at around 4k entries. > However... > If the user deliberately made it wrap to get past the access_ok() check then it would just return -ENOENT in i915_gem_execbuffer_relocate() right? It doesn't look like there are any security implications but I just wanted to be sure. regards, dan carpenter _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
