[Intel-gfx] [PATCH] drm/i915: Fix integer overflow tests

Dan Carpenter dan.carpenter at oracle.com
Thu Aug 17 09:50:37 UTC 2017


On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > There are some potential integer overflows here on 64 bit systems.
> > 
> > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > check for now and look a couple lines after:
> > 
> > 	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> >                                           ^^^^^^^^^^^
> > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > by two, it's going to have an integer overflow.  
> 
> AFAICS it wouldn't overflow due the promotion to unsigned long
> by '* sizeof(u32)'.
> 

It first multplies "nfences * 2" as unsigned int, then it type promotes
to size_t and multiplies by sizeof().  Only the first multiplication has
an integer overflow bug.

regards,
dan carpenter



More information about the Intel-gfx mailing list