[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()
> > This size calculation can overflow on 32 bit systems leading to memory > corruption. > > Reported-by: Ilja Van Sprundel > Signed-off-by: Dan Carpenter > > diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c > b/drivers/gpu/drm/qxl/qxl_ioctl.c > index bda5c5f..eda6f30 100644 > --- a/drivers/gpu/drm/qxl/qxl_ioctl.c > +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c > @@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device > *qdev, > cmd->command_size)) > return -EFAULT; > > - reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, > GFP_KERNEL); > + reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct > qxl_reloc_info), > GFP_KERNEL); > if (!reloc_info) > return -ENOMEM; > > Looks fine. Acked. Frediano
[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()
This size calculation can overflow on 32 bit systems leading to memory corruption. Reported-by: Ilja Van Sprundel Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index bda5c5f..eda6f30 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device *qdev, cmd->command_size)) return -EFAULT; - reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, GFP_KERNEL); + reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct qxl_reloc_info), GFP_KERNEL); if (!reloc_info) return -ENOMEM;