Re: [Freedreno] [PATCH] drm/msm: fix an integer overflow test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 30, 2017 at 10:59:15AM +0300, Dan Carpenter wrote:
> We recently added an integer overflow check but it needs an additional
> tweak to work properly on 32 bit systems.
> 
> The problem is that we're doing the right hand side of the assignment as
> type unsigned long so the max it will have an integer overflow instead
> of being larger than SIZE_MAX.  That means the "sz > SIZE_MAX" condition
> is never true even on 32 bit systems.  We need to first cast it to u64
> and then do the math.
> 
> Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Indeed. Thanks for the catch.

Acked-by: Jordan Crouse <jcrouse@xxxxxxxxxxxxxx>

> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 6bfca7470141..8095658e8cb4 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -34,8 +34,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
>  		struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds)
>  {
>  	struct msm_gem_submit *submit;
> -	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
> -		(nr_cmds * sizeof(submit->cmd[0]));
> +	uint64_t sz = sizeof(*submit) + ((u64)nr_bos * sizeof(submit->bos[0])) +
> +		((u64)nr_cmds * sizeof(submit->cmd[0]));
>  
>  	if (sz > SIZE_MAX)
>  		return NULL;
> _______________________________________________
> Freedreno mailing list
> Freedreno@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/freedreno

-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux