From: Dan Carpenter Date: Tue, 23 Dec 2014 09:56:49 +0000 (+0300) Subject: drm/radeon: integer underflow in radeon_cp_dispatch_texture() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=dd5a74f2f982193620cfa1ef609df1ee805781d4;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git drm/radeon: integer underflow in radeon_cp_dispatch_texture() The test: if (size > RADEON_MAX_TEXTURE_SIZE) { "size" is an integer and it's controled by the user so it can be negative and the test can underflow. Later we use "size" in: dwords = size / 4; ... RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32))); It causes memory corruption to copy a negative size buffer. Signed-off-by: Dan Carpenter Reviewed-by: Christian König Signed-off-by: Alex Deucher --- diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 535403e0c8a2..15aee723db77 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev, u32 format; u32 *buffer; const u8 __user *data; - int size, dwords, tex_width, blit_width, spitch; + unsigned int size, dwords, tex_width, blit_width, spitch; u32 height; int i; u32 texpitch, microtile;