Overflow and apparent kernel scribble in QXL driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

qxl_execbuffer_ioctl copies a qxl_command from user space into a kernel
buffer and then runs qxl_process_single_command. This then does

     reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,

which since cmd->relocs_num is 32bit can overflow on a 32bit machine. This
then allocates a reloc_info which is very small.

We then copy all the relocs and in doing so scribble all over random
kernel memory. In mitigation the data we scribble is somewhat out of
the users control.

Alan
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux