summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2015-10-29 16:37:54 +0300
committerDave Airlie <airlied@gmail.com>2015-10-31 10:00:05 +1000
commit9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96 (patch)
tree5d1efc1e282f49e061e1a6677f9bf77c93e20a5d
parent04ccb89073e7cfc31d9b9208d32b2cdf84a4d97d (diff)
downloadlwn-9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96.tar.gz
lwn-9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96.zip
drm: crtc: integer overflow in drm_property_create_blob()
The size here comes from the user via the ioctl, it is a number between 1-u32max so the addition here could overflow on 32 bit systems. Fixes: f453ba046074 ('DRM: add mode setting support') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Daniel Stone <daniels@collabora.com> Cc: stable@kernel.org # v4.2 Signed-off-by: Dave Airlie <airlied@gmail.com>
-rw-r--r--drivers/gpu/drm/drm_crtc.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 33d877c65ced..c205f13f9388 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4105,7 +4105,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
struct drm_property_blob *blob;
int ret;
- if (!length)
+ if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
return ERR_PTR(-EINVAL);
blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);