bug report: potential integer overflow in validate_exec_list()
Dan Carpenter
error27 at gmail.com
Sat Nov 20 10:32:07 PST 2010
Hello Chris,
Is there an integer overflow in validate_exec_list()?
drivers/gpu/drm/i915/i915_gem.c
3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
3634
3635 if (!access_ok(VERIFY_READ, ptr, length))
3636 return -EFAULT;
3637
My concern is that if relocation_count is larger than 0x8000000 the
multiplication can wrap.
This code was added in 2549d6c2 "drm/i915: Avoid vmallocing a buffer for
the relocations"
regards,
dan carpenter
More information about the dri-devel
mailing list