On Tue, Feb 16, 2016 at 12:49 PM, Gerd Hoffmann wrote:
> + if (cmd->relocs_num > 65536)
> + return -EINVAL;
> reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num,
> GFP_KERNEL);
> if (!reloc_info)
> return -ENOMEM;
Why not
Limit relocs_num to 65536. That limit is small enougth to avoid integer
overflow on 32bit machines when calculating reloc_info size (as reported
by Alan Cox), and is big enougth to not block normal usage (kmalloc
would ENOMEM on requests larger than that anyway).
Cc: stable at vger.kernel.org
