[PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 03:25:59PM -0700, Kees Cook wrote: > On Mon, Mar 11, 2013 at 3:00 PM, Chris Wilson > wrote: > > On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: > >> It is possible to wrap the counter used to allocate the buffer for > >> relocation copies. This could lead to hea

[PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: > It is possible to wrap the counter used to allocate the buffer for > relocation copies. This could lead to heap writing overflows. I'd keep the return value as EINVAL so that we can continue to distinguish between the user passing garbag

Re: [PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 03:25:59PM -0700, Kees Cook wrote: > On Mon, Mar 11, 2013 at 3:00 PM, Chris Wilson > wrote: > > On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: > >> It is possible to wrap the counter used to allocate the buffer for > >> relocation copies. This could lead to hea

Re: [PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 3:00 PM, Chris Wilson wrote: > On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: >> It is possible to wrap the counter used to allocate the buffer for >> relocation copies. This could lead to heap writing overflows. > > I'd keep the return value as EINVAL so that w

[PATCH v2] drm/i915: bounds check execbuffer relocation count

It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: sta...@vger.kernel.org --- v2: - move check into validate_exec_list --- drivers/gpu/drm/i915/i915_gem_execbuffer.

[PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 3:00 PM, Chris Wilson wrote: > On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: >> It is possible to wrap the counter used to allocate the buffer for >> relocation copies. This could lead to heap writing overflows. > > I'd keep the return value as EINVAL so that

Re: [PATCH v2] drm/i915: bounds check execbuffer relocation count

On Mon, Mar 11, 2013 at 02:23:29PM -0700, Kees Cook wrote: > It is possible to wrap the counter used to allocate the buffer for > relocation copies. This could lead to heap writing overflows. I'd keep the return value as EINVAL so that we can continue to distinguish between the user passing garbag

[PATCH v2] drm/i915: bounds check execbuffer relocation count

It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable at vger.kernel.org --- v2: - move check into validate_exec_list --- drivers/gpu/drm/i915/i915_gem_execbuff