[PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a user-controlled value which is not checked for zero. It is used in a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic. Add the check for zero to avoid this.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 Signed-off-by: Vladis Dronov vdronov@redhat.com --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index b445ce9..42840cc 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) num_sizes += req->mip_levels[i];
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * - DRM_VMW_MAX_MIP_LEVELS) + if (num_sizes <= 0 || + num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) return -EINVAL;
size = vmw_user_surface_size + 128 +
Hi,
thank you for this patch. Murray McAllister reported this one a couple of months ago, and this is already in our queue.
Sinclair
On Fri, Mar 24, 2017 at 04:37:10PM +0100, Vladis Dronov wrote:
In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a user-controlled value which is not checked for zero. It is used in a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic. Add the check for zero to avoid this.
Reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_sho... Signed-off-by: Vladis Dronov vdronov@redhat.com
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index b445ce9..42840cc 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) num_sizes += req->mip_levels[i];
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
DRM_VMW_MAX_MIP_LEVELS)
if (num_sizes <= 0 ||
num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)return -EINVAL;
size = vmw_user_surface_size + 128 +
-- 2.9.3
dri-devel@lists.freedesktop.org
-
Sinclair Yeh -
Vladis Dronov