On Mon, Mar 11, 2013 at 1:52 PM, Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote: > On Mon, Mar 11, 2013 at 12:27:16PM -0700, Kees Cook wrote: >> It is possible to wrap the counter used to allocate the buffer for >> relocation copies. This could lead to heap writing overflows. > > Seems a sensible check, just in the wrong location. You need to do the > checking upfront in validate_exec_list() so that the error condition is > always hit and that the limits are applied consistently to all > execbuffers. I opted for it here because it kept it out of the fast path which didn't need this check (it uses a list rather than an array). I will move it to validate_exec_list(). Thanks! -Kees -- Kees Cook Chrome OS Security _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
