| From 36274ab8c596f1240c606bb514da329add2a1bcd Mon Sep 17 00:00:00 2001 |
| From: Murray McAllister <murray.mcallister@insomniasec.com> |
| Date: Mon, 27 Mar 2017 11:12:53 +0200 |
| Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() |
| |
| From: Murray McAllister <murray.mcallister@insomniasec.com> |
| |
| commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream. |
| |
| Before memory allocations vmw_surface_define_ioctl() checks the |
| upper-bounds of a user-supplied size, but does not check if the |
| supplied size is 0. |
| |
| Add check to avoid NULL pointer dereferences. |
| |
| Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com> |
| Reviewed-by: Sinclair Yeh <syeh@vmware.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c |
| +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c |
| @@ -718,8 +718,8 @@ int vmw_surface_define_ioctl(struct drm_ |
| for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) |
| num_sizes += req->mip_levels[i]; |
| |
| - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * |
| - DRM_VMW_MAX_MIP_LEVELS) |
| + if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || |
| + num_sizes == 0) |
| return -EINVAL; |
| |
| size = vmw_user_surface_size + 128 + |