lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 16 Dec 2013 21:21:38 +0800
From:	xuyongjiande@...il.com
To:	airlied@...ux.ie, daniel.vetter@...ll.ch, airlied@...hat.com
Cc:	linux-kernel@...r.kernel.org, chyyuu@...il.com,
	xiaoqixue_1@....com, Yongjian Xu <xuyongjiande@...il.com>
Subject: [PATCH] drm: integer overflow in vmw_kms_update_layout_ioctl()

From: Yongjian Xu <xuyongjiande@...il.com>

rects is copy_from_user.
rects[i].x and rects[i].y are signed.
rects[i].w and rects[i].h are unsigned.
If rects[i].w is large enough, integer overflow could happen in: rects[i].x + rects[i].w
rects[i].h has the same problem.

Reported-by: Yongjian xu <xuyongjiande@...il.com>
Suggested-by: Qixue Xiao <xiaoqixue_1@....com>
Signed-off-by: Yu Chen <chyyuu@...il.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 03f1c20..edec5f8 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2045,6 +2045,8 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data,
 	for (i = 0; i < arg->num_outputs; ++i) {
 		if (rects[i].x < 0 ||
 		    rects[i].y < 0 ||
+		    rects[i].w > mode_config->max_width ||
+		    rects[i].h > mode_config->max_height ||
 		    rects[i].x + rects[i].w > mode_config->max_width ||
 		    rects[i].y + rects[i].h > mode_config->max_height) {
 			DRM_ERROR("Invalid GUI layout.\n");
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ