Re: [PATCH v3] drm/i915: bounds check execbuffer relocation count

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 11, 2013 at 05:31:45PM -0700, Kees Cook wrote:
> It is possible to wrap the counter used to allocate the buffer for
> relocation copies. This could lead to heap writing overflows.
> 
> CVE-2013-0913
> 
> v3: collapse test, improve comment
> v2: move check into validate_exec_list
> 
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Reported-by: Pinkie Pie
> Cc: stable@xxxxxxxxxxxxxxx

Looks good to me. The only bikeshed that remains is whether we should
just collapse the two variables into one, but the current 'max - count'
is more idiomatic and so preferrable.
Reviewed-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel


[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux