drm/savage: fix integer overflows in savage_bci_cmdbuf()

Since cmdbuf->size and cmdbuf->nbox are from userspace, a large value
would overflow the allocation size, leading to out-of-bounds access.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
index 031aaaf79ac2da2c2972dfbadade2530877a55cb..b6d8608375cde6b0063796d83ae763b4bd1b14db 100644 (file)
--- a/drivers/gpu/drm/savage/savage_state.c
+++ b/drivers/gpu/drm/savage/savage_state.c
@@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
         * for locking on FreeBSD.
         */
        if (cmdbuf->size) {
-               kcmd_addr = kmalloc(cmdbuf->size * 8, GFP_KERNEL);
+               kcmd_addr = kmalloc_array(cmdbuf->size, 8, GFP_KERNEL);
                if (kcmd_addr == NULL)
                        return -ENOMEM;
 
@@ -1015,8 +1015,8 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
                cmdbuf->vb_addr = kvb_addr;
        }
        if (cmdbuf->nbox) {
-               kbox_addr = kmalloc(cmdbuf->nbox * sizeof(struct drm_clip_rect),
-                                   GFP_KERNEL);
+               kbox_addr = kmalloc_array(cmdbuf->nbox, sizeof(struct drm_clip_rect),
+                                         GFP_KERNEL);
                if (kbox_addr == NULL) {
                        ret = -ENOMEM;
                        goto done;