subject:"\[patch 1\/4\] drm\/qxl\: integer overflow in qxl_process_single

[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()

2015-09-18 Thread Frediano Ziglio

> 
> This size calculation can overflow on 32 bit systems leading to memory
> corruption.
> 
> Reported-by: Ilja Van Sprundel 
> Signed-off-by: Dan Carpenter 
> 
> diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c
> b/drivers/gpu/drm/qxl/qxl_ioctl.c
> index bda5c5f..eda6f30 100644
> --- a/drivers/gpu/drm/qxl/qxl_ioctl.c
> +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
> @@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device
> *qdev,
>  cmd->command_size))
>   return -EFAULT;
>  
> - reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,
> GFP_KERNEL);
> + reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct 
> qxl_reloc_info),
> GFP_KERNEL);
>   if (!reloc_info)
>   return -ENOMEM;
>  
> 

Looks fine.

Acked.

Frediano

[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()

2015-09-17 Thread Dan Carpenter

This size calculation can overflow on 32 bit systems leading to memory
corruption.

Reported-by: Ilja Van Sprundel 
Signed-off-by: Dan Carpenter 

diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index bda5c5f..eda6f30 100644
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -168,7 +168,7 @@ static int qxl_process_single_command(struct qxl_device 
*qdev,
   cmd->command_size))
return -EFAULT;

-   reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, 
GFP_KERNEL);
+   reloc_info = kmalloc_array(cmd->relocs_num, sizeof(struct 
qxl_reloc_info), GFP_KERNEL);
if (!reloc_info)
return -ENOMEM;

[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()

[patch 1/4] drm/qxl: integer overflow in qxl_process_single_command()

2 matches

Site Navigation

Mail list logo

Footer information