CHROMIUM: drm/i915: bounds check execbuffer relocations 18/45118/5
authorKees Cook <keescook@chromium.org>
Fri, 8 Mar 2013 02:09:58 +0000 (18:09 -0800)
committerChromeBot <chrome-bot@google.com>
Mon, 11 Mar 2013 22:12:13 +0000 (15:12 -0700)
commitc79efdf2b7f68f985922a8272d64269ecd490477
tree304e9f62642c464bdc5503184138513b42bda457
parente3e071f729474b7cb7995e8009e5ab4aa4360140
CHROMIUM: drm/i915: bounds check execbuffer relocations

It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.

BUG=chromium-os:39733
TEST=link build, PoC fails

[sending upstream]

Change-Id: Ifdd4ae846042852a4462d70cfa3c3b84d5a9d133
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/45118
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: St├ęphane Marchesin <marcheu@chromium.org>
drivers/gpu/drm/i915/i915_gem_execbuffer.c