drm/amdgpu: fix integer overflow test in amdgpu_bo_list_create()

We accidentally left out the size of the amdgpu_bo_list struct. It could lead to memory corruption on 32 bit systems. You'd have to pick the absolute maximum and set "num_entries == 59652323" then size would wrap to 16 bytes. Fixes: 920990c ("drm/amdgpu: allocate the bo_list array after the list") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Huang Rui <ray.huang@amd.com> Reviewed-by: Bas Nieuwenhuizen <basni@chromium.org> Signed-off-by: Huang Rui <ray.huang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
mariux64 · Aug 27, 2018 · ff30e9e · ff30e9e
1 parent e51ee68
commit ff30e9e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
@@ -67,7 +67,8 @@ int amdgpu_bo_list_create(struct amdgpu_device *adev, struct drm_file *filp,
 	unsigned i;
 	int r;
 
-	if (num_entries > SIZE_MAX / sizeof(struct amdgpu_bo_list_entry))
+	if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list))
+				/ sizeof(struct amdgpu_bo_list_entry))
 		return -EINVAL;
 
 	size = sizeof(struct amdgpu_bo_list);