Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3118a4f6 authored by Kees Cook's avatar Kees Cook Committed by Daniel Vetter
Browse files

drm/i915: bounds check execbuffer relocation count 



It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.

CVE-2013-0913

v3: collapse test, improve comment
v2: move check into validate_exec_list

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reported-by: Pinkie Pie
Cc: stable@vger.kernel.org
Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
parent 2563a452

drivers/gpu/drm/i915/i915_gem_execbuffer.c

+8 −3
Original line number Diff line number Diff line
@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, 
		   int count)

{

	int i;

	int relocs_total = 0;

	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);



	for (i = 0; i < count; i++) {

		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, 
		if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)

			return -EINVAL;



		/* First check for malicious input causing overflow */

		if (exec[i].relocation_count >

		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))

		/* First check for malicious input causing overflow in

		 * the worst case where we need to allocate the entire

		 * relocation tree as a single array.

		 */

		if (exec[i].relocation_count > relocs_max - relocs_total)

			return -EINVAL;

		relocs_total += exec[i].relocation_count;



		length = exec[i].relocation_count *

			sizeof(struct drm_i915_gem_relocation_entry);