BACKPORT: drm: crtc: integer overflow in drm_property_create_blob()
Shreshtha SAHU [Wed, 30 Nov 2016 18:38:01 +0000 (23:38 +0530)]
The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.

This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947

Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>

Bug 1846814

Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/gpu/drm/drm_crtc.c

index 8759d69..d8fcc80 100644 (file)
@@ -2956,8 +2956,8 @@ static struct drm_property_blob *drm_property_create_blob(struct drm_device *dev
        struct drm_property_blob *blob;
        int ret;
 
-       if (!length || !data)
-               return NULL;
+       if (!length || !data || length > ULONG_MAX - sizeof(struct drm_property_blob))
+               return ERR_PTR(-EINVAL);
 
        blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
        if (!blob)