diff options
author | Murray McAllister <murray.mcallister@insomniasec.com> | 2017-03-27 11:15:12 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-04-12 12:38:32 +0200 |
commit | 0e075f266749ea6507758123f553fece6664e4e2 (patch) | |
tree | c5ba7da59f0ea48438247174e49b3ed5acb3e695 | |
parent | b26629453c7b2a6c82000b36fbd1cfc4d9101808 (diff) | |
download | linux-stable-0e075f266749ea6507758123f553fece6664e4e2.tar.gz linux-stable-0e075f266749ea6507758123f553fece6664e4e2.tar.bz2 linux-stable-0e075f266749ea6507758123f553fece6664e4e2.zip |
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 upstream.
In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
which can leak useful addresses to dmesg.
Add check to avoid a size of 0.
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c index b8c6a03c8c54..1802d0e7fab8 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c @@ -186,7 +186,7 @@ int vmw_get_cap_3d_ioctl(struct drm_device *dev, void *data, bool gb_objects = !!(dev_priv->capabilities & SVGA_CAP_GBOBJECTS); struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv); - if (unlikely(arg->pad64 != 0)) { + if (unlikely(arg->pad64 != 0 || arg->max_size == 0)) { DRM_ERROR("Illegal GET_3D_CAP argument.\n"); return -EINVAL; } |