| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1455623363-9224-1-git-send-email-kraxel@redhat.com> Date: Tue, 16 Feb 2016 12:49:23 +0100 From: Gerd Hoffmann <kraxel@...hat.com> To: David Airlie <airlied@...ux.ie> Cc: Gerd Hoffmann <kraxel@...hat.com>, stable@...r.kernel.org, gnomes@...rguk.ukuu.org.uk, dri-devel@...ts.freedesktop.org (open list:DRM DRIVERS), linux-kernel@...r.kernel.org (open list) Subject: [PATCH] qxl: apply limit to relocs_num in qxl_process_single_command Limit relocs_num to 65536. That limit is small enougth to avoid integer overflow on 32bit machines when calculating reloc_info size (as reported by Alan Cox), and is big enougth to not block normal usage (kmalloc would ENOMEM on requests larger than that anyway). Cc: stable@...r.kernel.org Cc: gnomes@...rguk.ukuu.org.uk Signed-off-by: Gerd Hoffmann <kraxel@...hat.com> --- drivers/gpu/drm/qxl/qxl_ioctl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 2ae8577..970cb83 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -168,6 +168,8 @@ static int qxl_process_single_command(struct qxl_device *qdev, cmd->command_size)) return -EFAULT; + if (cmd->relocs_num > 65536) + return -EINVAL; reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, GFP_KERNEL); if (!reloc_info) return -ENOMEM; -- 1.8.3.1
Powered by blists - more mailing lists