Overflow and apparent kernel scribble in QXL driver

One Thousand Gnomes gnomes at lxorguk.ukuu.org.uk
Mon Feb 15 15:22:27 UTC 2016

qxl_execbuffer_ioctl copies a qxl_command from user space into a kernel
buffer and then runs qxl_process_single_command. This then does

     reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,

which since cmd->relocs_num is 32bit can overflow on a 32bit machine. This
then allocates a reloc_info which is very small.

We then copy all the relocs and in doing so scribble all over random
kernel memory. In mitigation the data we scribble is somewhat out of
the users control.


More information about the dri-devel mailing list