git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Wed, 16 May 2018 14:00:26 +0000 (17:00 +0300)
committer	Stefan Bader <stefan.bader@canonical.com>
	Mon, 1 Oct 2018 12:57:15 +0000 (14:57 +0200)
commit	9cf629760b25aa49b01db52b38a770d66562fa15
tree	8c8b375fdbc5949b4ef45e1ecf5daf57e50bf837	tree
parent	944b3fb12c0343e0fedc9502e62b610a775e4248	commit \| diff

drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl()

BugLink: http://bugs.launchpad.net/bugs/1794889
[ Upstream commit 2b6207291b7b277a5df9d1aab44b56815a292dba ]

There is a comment here which says that DIV_ROUND_UP() and that's where
the problem comes from. Say you pick:

args->bpp = UINT_MAX - 7;
args->width = 4;
args->height = 1;

The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and
because of how we picked args->width that means cpp < UINT_MAX / 4.

I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I
removed the check for !cpp because it's not possible after this change.
I also changed all the 0xffffffffU references to U32_MAX.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>