DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 39221804E5
From: Vladis Dronov <vdronov@redhat.com>
To: VMware Graphics <linux-graphics-maintainer@vmware.com>,
        Sinclair Yeh <syeh@vmware.com>,
        Thomas Hellstrom <thellstrom@vmware.com>,
        David Airlie <airlied@linux.ie>, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org
Cc: Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
Date: Fri, 24 Mar 2017 16:37:10 +0100
Message-Id: <20170324153710.8706-1-vdronov@redhat.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1158
Lines: 29

In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
user-controlled value which is not checked for zero. It is used in
a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
is dereferenced which leads to a GPF and possibly to a kernel panic.
Add the check for zero to avoid this.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index b445ce9..42840cc 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
 		num_sizes += req->mip_levels[i];
 
-	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
-	    DRM_VMW_MAX_MIP_LEVELS)
+	if (num_sizes <= 0 ||
+	    num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
 		return -EINVAL;
 
 	size = vmw_user_surface_size + 128 +
-- 
2.9.3