drm/i915: bounds check execbuffer relocation count

It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.

CVE-2013-0913

v3: collapse test, improve comment
v2: move check into validate_exec_list

Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Pinkie Pie
Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

1 files changed, 8 insertions, 3 deletions

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 2f2daebd0eef..3b11ab0fbc96 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
                    int count)
 {
         int i;
+        int relocs_total = 0;
+        int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
 
         for (i = 0; i < count; i++) {
                 char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
                 if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)
                         return -EINVAL;
 
-                /* First check for malicious input causing overflow */
-                if (exec[i].relocation_count >
-                    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
+                /* First check for malicious input causing overflow in
+                 * the worst case where we need to allocate the entire
+                 * relocation tree as a single array.
+                 */
+                if (exec[i].relocation_count > relocs_max - relocs_total)
                         return -EINVAL;
+                relocs_total += exec[i].relocation_count;
 
                 length = exec[i].relocation_count *
                         sizeof(struct drm_i915_gem_relocation_entry);