diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2008-07-29 19:13:57 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2008-07-29 19:13:57 +0000 |
commit | 951e0de1ad9d148ef233cba93ac5b52c36ef5a40 (patch) | |
tree | 8beb5e224f47b56c2aa0157a25a4bd91d9a9aeda /sys/dev/pci | |
parent | 40428850dba4039ecc7ae774d0efb2a6e49ed170 (diff) |
Stricter bounds checking for values controlling loops or memory allocations,
which may come from userland via ioctls. ok oga@
Diffstat (limited to 'sys/dev/pci')
-rw-r--r-- | sys/dev/pci/drm/i915_dma.c | 10 | ||||
-rw-r--r-- | sys/dev/pci/drm/radeon_state.c | 2 |
2 files changed, 10 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/i915_dma.c b/sys/dev/pci/drm/i915_dma.c index 27d152cb727..6690aac215d 100644 --- a/sys/dev/pci/drm/i915_dma.c +++ b/sys/dev/pci/drm/i915_dma.c @@ -554,8 +554,8 @@ static int i915_dispatch_cmdbuffer(struct drm_device * dev, int nbox = cmd->num_cliprects; int i = 0, count, ret; - if (cmd->sz & 0x3) { - DRM_ERROR("alignment\n"); + if (cmd->sz <= 0 || (cmd->sz & 0x3) != 0) { + DRM_ERROR("negative value or incorrect alignment\n"); return -EINVAL; } @@ -746,6 +746,9 @@ static int i915_batchbuffer(struct drm_device *dev, void *data, DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n", batch->start, batch->used, batch->num_cliprects); + if (batch->num_cliprects < 0) + return -EINVAL; + LOCK_TEST_WITH_RETURN(dev, file_priv); if (batch->num_cliprects && DRM_VERIFYAREA_READ(batch->cliprects, @@ -771,6 +774,9 @@ static int i915_cmdbuffer(struct drm_device *dev, void *data, DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n", cmdbuf->buf, cmdbuf->sz, cmdbuf->num_cliprects); + if (cmdbuf->num_cliprects < 0) + return -EINVAL; + LOCK_TEST_WITH_RETURN(dev, file_priv); if (cmdbuf->num_cliprects && diff --git a/sys/dev/pci/drm/radeon_state.c b/sys/dev/pci/drm/radeon_state.c index c50ac248dd7..5be3ffd0ebb 100644 --- a/sys/dev/pci/drm/radeon_state.c +++ b/sys/dev/pci/drm/radeon_state.c @@ -3147,6 +3147,8 @@ static int radeon_cp_setparam(struct drm_device *dev, void *data, struct drm_fil dev_priv->new_memmap = sp->value; break; case RADEON_SETPARAM_PCIGART_TABLE_SIZE: + if (sp->value < 0) + return -EINVAL; dev_priv->gart_info.table_size = sp->value; if (dev_priv->gart_info.table_size < RADEON_PCIGART_TABLE_SIZE) dev_priv->gart_info.table_size = RADEON_PCIGART_TABLE_SIZE; |