[PATCH v2] drm/i915: Fix integer overflow tests

Dan Carpenter dan.carpenter at oracle.com
Fri Aug 18 08:01:03 UTC 2017


On Fri, Aug 18, 2017 at 08:46:25AM +0100, Chris Wilson wrote:
> Quoting Dan Carpenter (2017-08-18 08:07:00)
> > There are some potential integer overflows here on 64 bit systems.
> > 
> > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > check for now and look a couple lines after:
> > 
> >         if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> >                                           ^^^^^^^^^^^
> > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > by two, it's going to have an integer overflow.  The multiplication by
> > sizeof(u32) is OK because that gets type promoted to size_t.  This patch
> > changes the access_ok() check to use sizeof(*user) which fixes the
> > integer overflow and is also more readable.
> > 
> > The "args->buffer_count" variable is an unsigned int as well so it could
> > overflow if it's set to UINT_MAX when we do:
> > 
> >         exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
> >                                     ^^^^^^^^^^^^^^^^^^^^^^
> > 
> > Originally, those two integer overflow checks were against UINT_MAX
> > instead of SIZE_MAX and this patch changes them back.
> > 
> > Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
> > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> > ---
> > v2: Use sizeof(*users)
> 
> Please do consider my alternative.

I don't think you sent the email?  I haven't recieved any emails from
you on either my oracle.com address or through the kernel janitors list.

Can you resend?

regards
dan carpenter



More information about the dri-devel mailing list