Commit 6587eb82 authored by Xi Wang's avatar Xi Wang Committed by Dave Airlie

drm/savage: fix integer overflows in savage_bci_cmdbuf()

Since cmdbuf->size and cmdbuf->nbox are from userspace, a large value
would overflow the allocation size, leading to out-of-bounds access.
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent 4de833c3
...@@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_ ...@@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
* for locking on FreeBSD. * for locking on FreeBSD.
*/ */
if (cmdbuf->size) { if (cmdbuf->size) {
kcmd_addr = kmalloc(cmdbuf->size * 8, GFP_KERNEL); kcmd_addr = kmalloc_array(cmdbuf->size, 8, GFP_KERNEL);
if (kcmd_addr == NULL) if (kcmd_addr == NULL)
return -ENOMEM; return -ENOMEM;
...@@ -1015,7 +1015,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_ ...@@ -1015,7 +1015,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
cmdbuf->vb_addr = kvb_addr; cmdbuf->vb_addr = kvb_addr;
} }
if (cmdbuf->nbox) { if (cmdbuf->nbox) {
kbox_addr = kmalloc(cmdbuf->nbox * sizeof(struct drm_clip_rect), kbox_addr = kmalloc_array(cmdbuf->nbox, sizeof(struct drm_clip_rect),
GFP_KERNEL); GFP_KERNEL);
if (kbox_addr == NULL) { if (kbox_addr == NULL) {
ret = -ENOMEM; ret = -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment