Re: bug report: potential integer overflow in validate_exec_list()

21 Nov 2010


      On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter error27@gmail.com wrote:
...
Hello Chris,
Is there an integer overflow in validate_exec_list()?
drivers/gpu/drm/i915/i915_gem.c
  3633          size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
  3634  
  3635          if (!access_ok(VERIFY_READ, ptr, length))
  3636                  return -EFAULT;
  3637
My concern is that if relocation_count is larger than 0x8000000 the
multiplication can wrap.
Yes, it could. Not through normal use since relocation count can not be
more than buffer length, hence realistically capped at around 4k entries.
However...
Thanks,
-Chris
-- 
Chris Wilson, Intel Open Source Technology Centre

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Re: bug report: potential integer overflow in validate_exec_list()