[PATCH] drm/i915: bounds check execbuffer relocations
Kees Cook
keescook at chromium.org
Mon Mar 11 14:08:22 PDT 2013
On Mon, Mar 11, 2013 at 1:52 PM, Chris Wilson <chris at chris-wilson.co.uk> wrote:
> On Mon, Mar 11, 2013 at 12:27:16PM -0700, Kees Cook wrote:
>> It is possible to wrap the counter used to allocate the buffer for
>> relocation copies. This could lead to heap writing overflows.
>
> Seems a sensible check, just in the wrong location. You need to do the
> checking upfront in validate_exec_list() so that the error condition is
> always hit and that the limits are applied consistently to all
> execbuffers.
I opted for it here because it kept it out of the fast path which
didn't need this check (it uses a list rather than an array). I will
move it to validate_exec_list().
Thanks!
-Kees
--
Kees Cook
Chrome OS Security
More information about the dri-devel
mailing list