Commit 7943d194 authored by Vladis Dronov's avatar Vladis Dronov Committed by Ben Hutchings

drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()

commit ee9c4e68 upstream.

The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 702f4dd2
...@@ -1251,6 +1251,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, ...@@ -1251,6 +1251,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
const struct svga3d_surface_desc *desc; const struct svga3d_surface_desc *desc;
uint32_t backup_handle; uint32_t backup_handle;
if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
return -EINVAL;
if (unlikely(vmw_user_surface_size == 0)) if (unlikely(vmw_user_surface_size == 0))
vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
128; 128;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment