[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()
Dan Carpenter
dan.carpenter at oracle.com
Thu Sep 17 04:23:11 PDT 2015
This size calculation can overflow on 32 bit systems leading to memory
corruption.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index bda5c5f..eda6f30 100644
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
cmd->command_size))
return -EFAULT;
- reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, GFP_KERNEL);
+ reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct qxl_reloc_info), GFP_KERNEL);
if (!reloc_info)
return -ENOMEM;
More information about the dri-devel
mailing list