From: Vladis Dronov <vdronov@redhat.com>
To: VMware Graphics <linux-graphics-maintainer@vmware.com>,
Sinclair Yeh <syeh@vmware.com>,
Thomas Hellstrom <thellstrom@vmware.com>,
David Airlie <airlied@linux.ie>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Cc: Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
Date: Fri, 24 Mar 2017 16:37:10 +0100 [thread overview]
Message-ID: <20170324153710.8706-1-vdronov@redhat.com> (raw)
In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
user-controlled value which is not checked for zero. It is used in
a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
is dereferenced which leads to a GPF and possibly to a kernel panic.
Add the check for zero to avoid this.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index b445ce9..42840cc 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
num_sizes += req->mip_levels[i];
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
- DRM_VMW_MAX_MIP_LEVELS)
+ if (num_sizes <= 0 ||
+ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
return -EINVAL;
size = vmw_user_surface_size + 128 +
--
2.9.3
WARNING: multiple messages have this Message-ID (diff)
From: Vladis Dronov <vdronov@redhat.com>
To: VMware Graphics <linux-graphics-maintainer@vmware.com>,
Sinclair Yeh <syeh@vmware.com>,
Thomas Hellstrom <thellstrom@vmware.com>,
David Airlie <airlied@linux.ie>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Cc: Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
Date: Fri, 24 Mar 2017 16:37:10 +0100 [thread overview]
Message-ID: <20170324153710.8706-1-vdronov@redhat.com> (raw)
In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
user-controlled value which is not checked for zero. It is used in
a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
is dereferenced which leads to a GPF and possibly to a kernel panic.
Add the check for zero to avoid this.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index b445ce9..42840cc 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
num_sizes += req->mip_levels[i];
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
- DRM_VMW_MAX_MIP_LEVELS)
+ if (num_sizes <= 0 ||
+ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
return -EINVAL;
size = vmw_user_surface_size + 128 +
--
2.9.3
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next reply other threads:[~2017-03-24 15:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-24 15:37 Vladis Dronov [this message]
2017-03-24 15:37 ` [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() Vladis Dronov
2017-03-25 3:30 ` Sinclair Yeh
2017-03-25 3:30 ` Sinclair Yeh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170324153710.8706-1-vdronov@redhat.com \
--to=vdronov@redhat.com \
--cc=airlied@linux.ie \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-graphics-maintainer@vmware.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syeh@vmware.com \
--cc=thellstrom@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.