drm/nouveau: check pushbuffer bounds in ioctl
authorLuca Barbieri <luca@luca-barbieri.com>
Sun, 10 Jan 2010 19:10:53 +0000 (20:10 +0100)
committerBen Skeggs <bskeggs@redhat.com>
Thu, 14 Jan 2010 23:56:50 +0000 (09:56 +1000)
commit12f735b79f0ad63964dedabed3eee8a581bb66a5
tree22a774a050cbd0967d0b89788375271f226ba252
parentac8fb975e8c88d312a376b035494be17548d01c6
drm/nouveau: check pushbuffer bounds in ioctl

Currently there is no check that the pushbuffer request bounds are inside
the TTM BO.

This allows to instruct the kernel to do relocations on user-selected
addresses, since the relocation bounds checking relies on the request
bounds.

This can oops the kernel accidentally and is easily exploitable.

This patch adds bound checking and alignment checking for ->offset and
->nr_dwords.

It also makes some variables unsigned, which should have no effect,
but prevents possible bounds checking problems.

Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
drivers/gpu/drm/nouveau/nouveau_gem.c