The test:
if (size > RADEON_MAX_TEXTURE_SIZE) {
"size" is an integer and it's controled by the user so it can be negative and the test can underflow. Later we use "size" in:
dwords = size / 4; ... RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
It causes memory corruption to copy a negative size buffer.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com --- Static checkers complain about the integer overflows here, and there are many real overflows but they appear harmless.
diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 535403e..15aee72 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev, u32 format; u32 *buffer; const u8 __user *data; - int size, dwords, tex_width, blit_width, spitch; + unsigned int size, dwords, tex_width, blit_width, spitch; u32 height; int i; u32 texpitch, microtile;
Am 23.12.2014 um 10:56 schrieb Dan Carpenter:
The test:
if (size > RADEON_MAX_TEXTURE_SIZE) {
"size" is an integer and it's controled by the user so it can be negative and the test can underflow. Later we use "size" in:
dwords = size / 4; ... RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
It causes memory corruption to copy a negative size buffer.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
This specific line of code is completely deprecated and the patch is just another coffin nail to finally remove it.
But since we can't be sure that it doesn't break any userspace still in use I'm generally ok to apply the patch and it is Reviewed-by: Christian König christian.koenig@amd.com
Regards, Christian.
Static checkers complain about the integer overflows here, and there are many real overflows but they appear harmless.
diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 535403e..15aee72 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev, u32 format; u32 *buffer; const u8 __user *data;
- int size, dwords, tex_width, blit_width, spitch;
- unsigned int size, dwords, tex_width, blit_width, spitch; u32 height; int i; u32 texpitch, microtile;
On Tue, Dec 23, 2014 at 4:56 AM, Dan Carpenter dan.carpenter@oracle.com wrote:
The test:
if (size > RADEON_MAX_TEXTURE_SIZE) {"size" is an integer and it's controled by the user so it can be negative and the test can underflow. Later we use "size" in:
dwords = size / 4; ... RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));It causes memory corruption to copy a negative size buffer.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Applied to my fixes tree. thanks!
Alex
Static checkers complain about the integer overflows here, and there are many real overflows but they appear harmless.
diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 535403e..15aee72 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev, u32 format; u32 *buffer; const u8 __user *data;
int size, dwords, tex_width, blit_width, spitch;
unsigned int size, dwords, tex_width, blit_width, spitch; u32 height; int i; u32 texpitch, microtile;
dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel@lists.freedesktop.org
-
Alex Deucher -
Christian König -
Dan Carpenter