[CVE-2017-7261][PATCH T] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
Po-Hsu Lin
po-hsu.lin at canonical.com
Wed Jul 19 07:45:52 UTC 2017
From: Murray McAllister <murray.mcallister at insomniasec.com>
CVE-2017-7261
Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.
Add check to avoid NULL pointer dereferences.
Cc: <stable at vger.kernel.org>
Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh at vmware.com>
(cherry picked from commit 36274ab8c596f1240c606bb514da329add2a1bcd)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 9593df6..196833b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -711,8 +711,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
num_sizes += req->mip_levels[i];
}
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
- DRM_VMW_MAX_MIP_LEVELS)
+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ num_sizes == 0)
return -EINVAL;
size = vmw_user_surface_size + 128 +
--
2.7.4
More information about the kernel-team
mailing list