Home Home > GIT Browse > openSUSE-15.1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Zimmermann <tzimmermann@suse.de>2019-01-10 15:58:26 +0100
committerThomas Zimmermann <tzimmermann@suse.de>2019-01-11 13:41:55 +0100
commita9353983e3ca6840ed988fc732884832d6406454 (patch)
treea0106cc61d78e66e8c3f693512bdef82567141a8
parent342cdfa74322aa752c80e31e72bda64080b8eb97 (diff)
drm/amdgpu: fix integer overflow test in amdgpu_bo_list_create() (bsc#1113956)
-rw-r--r--patches.drm/0037-drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_li.patch41
-rw-r--r--series.conf1
2 files changed, 42 insertions, 0 deletions
diff --git a/patches.drm/0037-drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_li.patch b/patches.drm/0037-drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_li.patch
new file mode 100644
index 0000000000..65d221d0ef
--- /dev/null
+++ b/patches.drm/0037-drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_li.patch
@@ -0,0 +1,41 @@
+From ff30e9e8509cb877dc7cbc776b36c70f5bdd290f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 10 Aug 2018 18:50:32 +0800
+Subject: drm/amdgpu: fix integer overflow test in amdgpu_bo_list_create()
+Git-commit: ff30e9e8509cb877dc7cbc776b36c70f5bdd290f
+Patch-mainline: v4.20-rc1
+References: bsc#1113956
+
+We accidentally left out the size of the amdgpu_bo_list struct. It
+could lead to memory corruption on 32 bit systems. You'd have to
+pick the absolute maximum and set "num_entries == 59652323" then size
+would wrap to 16 bytes.
+
+Fixes: 920990cb080a ("drm/amdgpu: allocate the bo_list array after the list")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Bas Nieuwenhuizen <basni@chromium.org>
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+index d472a2c8399f..b80243d3972e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+@@ -67,7 +67,8 @@ int amdgpu_bo_list_create(struct amdgpu_device *adev, struct drm_file *filp,
+ unsigned i;
+ int r;
+
+- if (num_entries > SIZE_MAX / sizeof(struct amdgpu_bo_list_entry))
++ if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list))
++ / sizeof(struct amdgpu_bo_list_entry))
+ return -EINVAL;
+
+ size = sizeof(struct amdgpu_bo_list);
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index dd37900252..5dd37e1673 100644
--- a/series.conf
+++ b/series.conf
@@ -40810,6 +40810,7 @@
patches.drm/0028-drm-i915-guc-Move-the-pin-bias-value-from-GuC-to-GGT.patch
patches.drm/drm-i915-cfl-Add-a-new-CFL-PCI-ID
patches.drm/0038-drm-i915-psr-Remove-wait_for_idle-for-PSR2.patch
+ patches.drm/0037-drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_li.patch
patches.drm/drm-amdgpu-add-missing-CHIP_HAINAN-in-amdgpu_ucode_g.patch
patches.drm/0001-drm-hisilicon-hibmc-Do-not-carry-error-code-in-HiBMC.patch
patches.drm/0001-drm-hisilicon-hibmc-Don-t-overwrite-fb-helper-surfac.patch