On Fri, Jun 30, 2017 at 10:59:15AM +0300, Dan Carpenter wrote:
> We recently added an integer overflow check but it needs an additional
> tweak to work properly on 32 bit systems.
>
> The problem is that we're doing the right hand side of the assignment as
> type unsigned long so the max it will have an integer overflow instead
> of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition
> is never true even on 32 bit systems. We need to first cast it to u64
> and then do the math.
>
> Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Indeed. Thanks for the catch.
Acked-by: Jordan Crouse <jcrouse@xxxxxxxxxxxxxx>
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 6bfca7470141..8095658e8cb4 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -34,8 +34,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
> struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds)
> {
> struct msm_gem_submit *submit;
> - uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
> - (nr_cmds * sizeof(submit->cmd[0]));
> + uint64_t sz = sizeof(*submit) + ((u64)nr_bos * sizeof(submit->bos[0])) +
> + ((u64)nr_cmds * sizeof(submit->cmd[0]));
>
> if (sz > SIZE_MAX)
> return NULL;
> _______________________________________________
> Freedreno mailing list
> Freedreno@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/freedreno
--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
