[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()

Fri Sep 18 02:50:09 PDT 2015

> 
> This size calculation can overflow on 32 bit systems leading to memory
> corruption.
> 
> Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> 
> diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c
> b/drivers/gpu/drm/qxl/qxl_ioctl.c
> index bda5c5f..eda6f30 100644
> --- a/drivers/gpu/drm/qxl/qxl_ioctl.c
> +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
> @@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device
> *qdev,
>  		       cmd->command_size))
>  		return -EFAULT;
>  
> -	reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,
> GFP_KERNEL);
> +	reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct qxl_reloc_info),
> GFP_KERNEL);
>  	if (!reloc_info)
>  		return -ENOMEM;
>  
> 

Looks fine.

Acked.

Frediano