Commit 2b99b2c4 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() 



[ Upstream commit 3a47f4b4 ]

The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32
values that come from the user via the submit_lookup_cmds() function.
This addition could lead to an integer wrapping bug so use size_add()
to prevent that.

Fixes: 19872533 ("drm/msm: fix cmdstream size check")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/624696/


Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent c620a776
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment