Overflow and apparent kernel scribble in QXL driver
One Thousand Gnomes
gnomes at lxorguk.ukuu.org.uk
Mon Feb 15 15:22:27 UTC 2016
qxl_execbuffer_ioctl copies a qxl_command from user space into a kernel
buffer and then runs qxl_process_single_command. This then does
reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,
which since cmd->relocs_num is 32bit can overflow on a 32bit machine. This
then allocates a reloc_info which is very small.
We then copy all the relocs and in doing so scribble all over random
kernel memory. In mitigation the data we scribble is somewhat out of
the users control.
More information about the dri-devel