bug report: potential integer overflow in validate_exec_list()
error27 at gmail.com
Mon Nov 22 01:56:42 PST 2010
On Sun, Nov 21, 2010 at 09:23:46AM +0000, Chris Wilson wrote:
> On Sat, 20 Nov 2010 21:32:07 +0300, Dan Carpenter <error27 at gmail.com> wrote:
> > Hello Chris,
> > Is there an integer overflow in validate_exec_list()?
> > drivers/gpu/drm/i915/i915_gem.c
> > 3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry);
> > 3634
> > 3635 if (!access_ok(VERIFY_READ, ptr, length))
> > 3636 return -EFAULT;
> > 3637
> > My concern is that if relocation_count is larger than 0x8000000 the
> > multiplication can wrap.
> Yes, it could. Not through normal use since relocation count can not be
> more than buffer length, hence realistically capped at around 4k entries.
If the user deliberately made it wrap to get past the access_ok() check
then it would just return -ENOENT in i915_gem_execbuffer_relocate()
It doesn't look like there are any security implications but I just
wanted to be sure.
More information about the dri-devel