From: Yongjian Xu <[email protected]> rects is copy_from_user. rects[i].x and rects[i].y are signed. rects[i].w and rects[i].h are unsigned. If rects[i].w is large enough, integer overflow could happen in: rects[i].x + rects[i].w rects[i].h has the same problem.
Reported-by: Yongjian xu <[email protected]> Suggested-by: Qixue Xiao <[email protected]> Signed-off-by: Yu Chen <[email protected]> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 03f1c20..edec5f8 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -2045,6 +2045,8 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, for (i = 0; i < arg->num_outputs; ++i) { if (rects[i].x < 0 || rects[i].y < 0 || + rects[i].w > mode_config->max_width || + rects[i].h > mode_config->max_height || rects[i].x + rects[i].w > mode_config->max_width || rects[i].y + rects[i].h > mode_config->max_height) { DRM_ERROR("Invalid GUI layout.\n"); -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
