Commit 48e308ef authored by Kees Cook's avatar Kees Cook Committed by Ben Hutchings

drm/i915: bounds check execbuffer relocation count

commit 3118a4f6 upstream.

It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.

CVE-2013-0913

v3: collapse test, improve comment
v2: move check into validate_exec_list
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reported-by: Pinkie Pie
Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 1464096d
...@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, ...@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
int count) int count)
{ {
int i; int i;
int relocs_total = 0;
int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
int length; /* limited by fault_in_pages_readable() */ int length; /* limited by fault_in_pages_readable() */
/* First check for malicious input causing overflow */ /* First check for malicious input causing overflow in
if (exec[i].relocation_count > * the worst case where we need to allocate the entire
INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) * relocation tree as a single array.
*/
if (exec[i].relocation_count > relocs_max - relocs_total)
return -EINVAL; return -EINVAL;
relocs_total += exec[i].relocation_count;
length = exec[i].relocation_count * length = exec[i].relocation_count *
sizeof(struct drm_i915_gem_relocation_entry); sizeof(struct drm_i915_gem_relocation_entry);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment