]> git.hungrycats.org Git - linux/commitdiff
drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
authorVladis Dronov <vdronov@redhat.com>
Fri, 2 Jun 2017 05:42:09 +0000 (07:42 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 14 Jun 2017 10:54:20 +0000 (12:54 +0200)
commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream.

The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431

Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c

index 75c3c2a1eb7f12191b00a9cb5d8aca22fb344dba..3f43f3ff528b27867f52ca641f244707bd3b132a 100644 (file)
@@ -1243,6 +1243,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
        const struct svga3d_surface_desc *desc;
        uint32_t backup_handle;
 
+       if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
+               return -EINVAL;
+
        if (unlikely(vmw_user_surface_size == 0))
                vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
                        128;