* [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
@ 2012-04-23 8:06 ` Xi Wang
0 siblings, 0 replies; 9+ messages in thread
From: Xi Wang @ 2012-04-23 8:06 UTC (permalink / raw)
To: Daniel Vetter, Keith Packard
Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang,
Chris Wilson, stable
On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index f51a696..7c50e58 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
struct drm_i915_gem_exec_object2 *exec2_list = NULL;
int ret;
- if (args->buffer_count < 1) {
+ if (args->buffer_count < 1 ||
+ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
--
1.7.5.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
@ 2012-04-23 8:06 ` Xi Wang
0 siblings, 0 replies; 9+ messages in thread
From: Xi Wang @ 2012-04-23 8:06 UTC (permalink / raw)
To: Daniel Vetter, Keith Packard
Cc: security, intel-gfx, linux-kernel, dri-devel, stable
On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index f51a696..7c50e58 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
struct drm_i915_gem_exec_object2 *exec2_list = NULL;
int ret;
- if (args->buffer_count < 1) {
+ if (args->buffer_count < 1 ||
+ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
--
1.7.5.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
2012-04-23 8:06 ` Xi Wang
(?)
@ 2012-04-23 8:06 ` Xi Wang
2012-04-23 8:18 ` Chris Wilson
-1 siblings, 1 reply; 9+ messages in thread
From: Xi Wang @ 2012-04-23 8:06 UTC (permalink / raw)
To: Daniel Vetter, Keith Packard
Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang,
Chris Wilson, stable
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 7c50e58..de43194 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
return -EINVAL;
}
+ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
+ DRM_DEBUG("execbuf with %u cliprects\n",
+ args->num_cliprects);
+ return -EINVAL;
+ }
cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
GFP_KERNEL);
if (cliprects == NULL) {
--
1.7.5.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
2012-04-23 8:06 ` Xi Wang
@ 2012-04-23 8:18 ` Chris Wilson
-1 siblings, 0 replies; 9+ messages in thread
From: Chris Wilson @ 2012-04-23 8:18 UTC (permalink / raw)
To: Xi Wang, Daniel Vetter, Keith Packard
Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang, stable
On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->buffer_count from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
>
> This vulnerability was introduced in commit 8408c282 ("drm/i915:
> First try a normal large kmalloc for the temporary exec buffers").
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
@ 2012-04-23 8:18 ` Chris Wilson
0 siblings, 0 replies; 9+ messages in thread
From: Chris Wilson @ 2012-04-23 8:18 UTC (permalink / raw)
To: Xi Wang, Daniel Vetter, Keith Packard
Cc: security, intel-gfx, linux-kernel, stable, dri-devel
On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->buffer_count from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
>
> This vulnerability was introduced in commit 8408c282 ("drm/i915:
> First try a normal large kmalloc for the temporary exec buffers").
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
2012-04-23 8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
@ 2012-04-23 8:18 ` Chris Wilson
0 siblings, 0 replies; 9+ messages in thread
From: Chris Wilson @ 2012-04-23 8:18 UTC (permalink / raw)
To: Xi Wang, Daniel Vetter, Keith Packard
Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang, stable
On Mon, 23 Apr 2012 04:06:42 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->num_cliprects from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
>
> This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
> allocation for execbuffer object list").
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer()
@ 2012-04-23 8:18 ` Chris Wilson
0 siblings, 0 replies; 9+ messages in thread
From: Chris Wilson @ 2012-04-23 8:18 UTC (permalink / raw)
To: Daniel Vetter, Keith Packard
Cc: intel-gfx, dri-devel, linux-kernel, security, Xi Wang, stable
On Mon, 23 Apr 2012 04:06:42 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> On 32-bit systems, a large args->num_cliprects from userspace via ioctl
> may overflow the allocation size, leading to out-of-bounds access.
>
> This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
> allocation for execbuffer object list").
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
2012-04-23 8:18 ` Chris Wilson
@ 2012-04-23 20:44 ` Daniel Vetter
-1 siblings, 0 replies; 9+ messages in thread
From: Daniel Vetter @ 2012-04-23 20:44 UTC (permalink / raw)
To: Chris Wilson
Cc: Xi Wang, Daniel Vetter, Keith Packard, security, intel-gfx,
linux-kernel, stable, dri-devel
On Mon, Apr 23, 2012 at 09:18:25AM +0100, Chris Wilson wrote:
> On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> > On 32-bit systems, a large args->buffer_count from userspace via ioctl
> > may overflow the allocation size, leading to out-of-bounds access.
> >
> > This vulnerability was introduced in commit 8408c282 ("drm/i915:
> > First try a normal large kmalloc for the temporary exec buffers").
> >
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > Cc: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: stable@vger.kernel.org
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Both patches picked up for -fixes, thanks.
-Daniel
--
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
@ 2012-04-23 20:44 ` Daniel Vetter
0 siblings, 0 replies; 9+ messages in thread
From: Daniel Vetter @ 2012-04-23 20:44 UTC (permalink / raw)
To: Chris Wilson
Cc: Daniel Vetter, intel-gfx, security, stable, linux-kernel, dri-devel
On Mon, Apr 23, 2012 at 09:18:25AM +0100, Chris Wilson wrote:
> On Mon, 23 Apr 2012 04:06:41 -0400, Xi Wang <xi.wang@gmail.com> wrote:
> > On 32-bit systems, a large args->buffer_count from userspace via ioctl
> > may overflow the allocation size, leading to out-of-bounds access.
> >
> > This vulnerability was introduced in commit 8408c282 ("drm/i915:
> > First try a normal large kmalloc for the temporary exec buffers").
> >
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > Cc: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: stable@vger.kernel.org
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Both patches picked up for -fixes, thanks.
-Daniel
--
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-04-23 20:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-04-23 8:06 [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Xi Wang
2012-04-23 8:06 ` Xi Wang
2012-04-23 8:06 ` [PATCH v2 2/2] drm/i915: fix integer overflow in i915_gem_do_execbuffer() Xi Wang
2012-04-23 8:18 ` Chris Wilson
2012-04-23 8:18 ` Chris Wilson
2012-04-23 8:18 ` [PATCH v2 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2() Chris Wilson
2012-04-23 8:18 ` Chris Wilson
2012-04-23 20:44 ` Daniel Vetter
2012-04-23 20:44 ` Daniel Vetter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.