[PATCH] drm/i915: Fix integer overflow tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are some potential integer overflows here on 64 bit systems.

The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
check for now and look a couple lines after:

	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
                                          ^^^^^^^^^^^
"nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
by two, it's going to have an integer overflow.  The "args->buffer_count"
is also an unsigned int so it could overflow if it's set to UINT_MAX
when we do:

	exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
                                    ^^^^^^^^^^^^^^^^^^^^^^
Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 15ab3e6792f9..f569721aad1a 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
 	if (!(args->flags & I915_EXEC_FENCE_ARRAY))
 		return NULL;
 
-	if (nfences > SIZE_MAX / sizeof(*fences))
+	if (nfences > UINT_MAX / sizeof(*fences))
 		return ERR_PTR(-EINVAL);
 
 	user = u64_to_user_ptr(args->cliprects_ptr);
@@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
 	unsigned int i;
 	int err;
 
-	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
 		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
 		return -EINVAL;
 	}
@@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
 	struct drm_syncobj **fences = NULL;
 	int err;
 
-	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
 		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
 		return -EINVAL;
 	}
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux