* [PATCH] drm/i915: Fix integer overflow tests
@ 2017-08-17 6:23 Dan Carpenter
2017-08-17 9:37 ` Imre Deak
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2017-08-17 6:23 UTC (permalink / raw)
To: Daniel Vetter, Jason Ekstrand, Chris Wilson
Cc: David Airlie, intel-gfx, kernel-janitors, dri-devel
There are some potential integer overflows here on 64 bit systems.
The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
check for now and look a couple lines after:
if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
^^^^^^^^^^^
"nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
by two, it's going to have an integer overflow. The "args->buffer_count"
is also an unsigned int so it could overflow if it's set to UINT_MAX
when we do:
exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
^^^^^^^^^^^^^^^^^^^^^^
Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 15ab3e6792f9..f569721aad1a 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
if (!(args->flags & I915_EXEC_FENCE_ARRAY))
return NULL;
- if (nfences > SIZE_MAX / sizeof(*fences))
+ if (nfences > UINT_MAX / sizeof(*fences))
return ERR_PTR(-EINVAL);
user = u64_to_user_ptr(args->cliprects_ptr);
@@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
unsigned int i;
int err;
- if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+ if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
@@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
struct drm_syncobj **fences = NULL;
int err;
- if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+ if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] drm/i915: Fix integer overflow tests
2017-08-17 6:23 [PATCH] drm/i915: Fix integer overflow tests Dan Carpenter
@ 2017-08-17 9:37 ` Imre Deak
2017-08-17 9:50 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Imre Deak @ 2017-08-17 9:37 UTC (permalink / raw)
To: Dan Carpenter
Cc: Daniel Vetter, Jason Ekstrand, Chris Wilson, intel-gfx,
kernel-janitors, dri-devel
On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> There are some potential integer overflows here on 64 bit systems.
>
> The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> check for now and look a couple lines after:
>
> if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> ^^^^^^^^^^^
> "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> by two, it's going to have an integer overflow.
AFAICS it wouldn't overflow due the promotion to unsigned long
by '* sizeof(u32)'.
> The "args->buffer_count"
> is also an unsigned int so it could overflow if it's set to UINT_MAX
> when we do:
>
> exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
> ^^^^^^^^^^^^^^^^^^^^^^
Yes, this could overflow.
> Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> index 15ab3e6792f9..f569721aad1a 100644
> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> @@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
> if (!(args->flags & I915_EXEC_FENCE_ARRAY))
> return NULL;
>
> - if (nfences > SIZE_MAX / sizeof(*fences))
> + if (nfences > UINT_MAX / sizeof(*fences))
> return ERR_PTR(-EINVAL);
>
> user = u64_to_user_ptr(args->cliprects_ptr);
> @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
> unsigned int i;
> int err;
>
> - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
> + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
> DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
> return -EINVAL;
> }
> @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
> struct drm_syncobj **fences = NULL;
> int err;
>
> - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
> + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
> DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
> return -EINVAL;
> }
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] drm/i915: Fix integer overflow tests
2017-08-17 9:37 ` Imre Deak
@ 2017-08-17 9:50 ` Dan Carpenter
2017-08-17 9:56 ` Imre Deak
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2017-08-17 9:50 UTC (permalink / raw)
To: Imre Deak
Cc: intel-gfx, kernel-janitors, dri-devel, Jason Ekstrand, Daniel Vetter
On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > There are some potential integer overflows here on 64 bit systems.
> >
> > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > check for now and look a couple lines after:
> >
> > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > ^^^^^^^^^^^
> > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > by two, it's going to have an integer overflow.
>
> AFAICS it wouldn't overflow due the promotion to unsigned long
> by '* sizeof(u32)'.
>
It first multplies "nfences * 2" as unsigned int, then it type promotes
to size_t and multiplies by sizeof(). Only the first multiplication has
an integer overflow bug.
regards,
dan carpenter
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] drm/i915: Fix integer overflow tests
2017-08-17 9:50 ` Dan Carpenter
@ 2017-08-17 9:56 ` Imre Deak
2017-08-17 14:16 ` Jason Ekstrand
0 siblings, 1 reply; 9+ messages in thread
From: Imre Deak @ 2017-08-17 9:56 UTC (permalink / raw)
To: Dan Carpenter
Cc: intel-gfx, kernel-janitors, dri-devel, Jason Ekstrand, Daniel Vetter
On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > There are some potential integer overflows here on 64 bit systems.
> > >
> > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > check for now and look a couple lines after:
> > >
> > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > > ^^^^^^^^^^^
> > > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > > by two, it's going to have an integer overflow.
> >
> > AFAICS it wouldn't overflow due the promotion to unsigned long
> > by '* sizeof(u32)'.
> >
>
> It first multplies "nfences * 2" as unsigned int, then it type promotes
> to size_t and multiplies by sizeof(). Only the first multiplication has
> an integer overflow bug.
Err, that's correct. Sorry for the noise.
>
> regards,
> dan carpenter
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] drm/i915: Fix integer overflow tests
2017-08-17 9:56 ` Imre Deak
@ 2017-08-17 14:16 ` Jason Ekstrand
2017-08-17 14:32 ` Dan Carpenter
2017-08-18 7:07 ` [PATCH v2] " Dan Carpenter
0 siblings, 2 replies; 9+ messages in thread
From: Jason Ekstrand @ 2017-08-17 14:16 UTC (permalink / raw)
To: imre.deak
Cc: Intel GFX, kernel-janitors, Maling list - DRI developers,
Daniel Vetter, Dan Carpenter
[-- Attachment #1.1: Type: text/plain, Size: 1351 bytes --]
On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote:
> On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > > There are some potential integer overflows here on 64 bit systems.
> > > >
> > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > > check for now and look a couple lines after:
> > > >
> > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > > > ^^^^^^^^^^^
> > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and
> multiply
> > > > by two, it's going to have an integer overflow.
> > >
> > > AFAICS it wouldn't overflow due the promotion to unsigned long
> > > by '* sizeof(u32)'.
> > >
> >
> > It first multplies "nfences * 2" as unsigned int, then it type promotes
> > to size_t and multiplies by sizeof(). Only the first multiplication has
> > an integer overflow bug.
>
> Err, that's correct. Sorry for the noise.
>
Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)". That's
what we really want to check. I have no idea how it ended up being "2 *
sizeof(u32)"
--Jason
[-- Attachment #1.2: Type: text/html, Size: 2046 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] drm/i915: Fix integer overflow tests
2017-08-17 14:16 ` Jason Ekstrand
@ 2017-08-17 14:32 ` Dan Carpenter
2017-08-18 7:07 ` [PATCH v2] " Dan Carpenter
1 sibling, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2017-08-17 14:32 UTC (permalink / raw)
To: Jason Ekstrand
Cc: kernel-janitors, Maling list - DRI developers, Daniel Vetter, Intel GFX
On Thu, Aug 17, 2017 at 07:16:03AM -0700, Jason Ekstrand wrote:
> On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote:
>
> > On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> > > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > > > There are some potential integer overflows here on 64 bit systems.
> > > > >
> > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > > > check for now and look a couple lines after:
> > > > >
> > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > > > > ^^^^^^^^^^^
> > > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and
> > multiply
> > > > > by two, it's going to have an integer overflow.
> > > >
> > > > AFAICS it wouldn't overflow due the promotion to unsigned long
> > > > by '* sizeof(u32)'.
> > > >
> > >
> > > It first multplies "nfences * 2" as unsigned int, then it type promotes
> > > to size_t and multiplies by sizeof(). Only the first multiplication has
> > > an integer overflow bug.
> >
> > Err, that's correct. Sorry for the noise.
> >
>
> Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)". That's
> what we really want to check. I have no idea how it ended up being "2 *
> sizeof(u32)"
Yeah. That's more readable. I will resend.
regards,
dan carpenter
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2] drm/i915: Fix integer overflow tests
2017-08-17 14:16 ` Jason Ekstrand
2017-08-17 14:32 ` Dan Carpenter
@ 2017-08-18 7:07 ` Dan Carpenter
2017-08-18 7:46 ` Chris Wilson
1 sibling, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2017-08-18 7:07 UTC (permalink / raw)
To: Daniel Vetter, Jason Ekstrand, Chris Wilson
Cc: David Airlie, intel-gfx, kernel-janitors, dri-devel
There are some potential integer overflows here on 64 bit systems.
The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
check for now and look a couple lines after:
if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
^^^^^^^^^^^
"nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
by two, it's going to have an integer overflow. The multiplication by
sizeof(u32) is OK because that gets type promoted to size_t. This patch
changes the access_ok() check to use sizeof(*user) which fixes the
integer overflow and is also more readable.
The "args->buffer_count" variable is an unsigned int as well so it could
overflow if it's set to UINT_MAX when we do:
exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
^^^^^^^^^^^^^^^^^^^^^^
Originally, those two integer overflow checks were against UINT_MAX
instead of SIZE_MAX and this patch changes them back.
Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Use sizeof(*users)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 15ab3e6792f9..11419b81cf13 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -2156,7 +2156,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
return ERR_PTR(-EINVAL);
user = u64_to_user_ptr(args->cliprects_ptr);
- if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
+ if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user)))
return ERR_PTR(-EFAULT);
fences = kvmalloc_array(args->num_cliprects, sizeof(*fences),
@@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
unsigned int i;
int err;
- if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+ if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
@@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
struct drm_syncobj **fences = NULL;
int err;
- if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+ if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
return -EINVAL;
}
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2] drm/i915: Fix integer overflow tests
2017-08-18 7:07 ` [PATCH v2] " Dan Carpenter
@ 2017-08-18 7:46 ` Chris Wilson
2017-08-18 8:01 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Chris Wilson @ 2017-08-18 7:46 UTC (permalink / raw)
To: Dan Carpenter, Daniel Vetter, Jason Ekstrand
Cc: Jani Nikula, David Airlie, intel-gfx, dri-devel, kernel-janitors
Quoting Dan Carpenter (2017-08-18 08:07:00)
> There are some potential integer overflows here on 64 bit systems.
>
> The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> check for now and look a couple lines after:
>
> if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> ^^^^^^^^^^^
> "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> by two, it's going to have an integer overflow. The multiplication by
> sizeof(u32) is OK because that gets type promoted to size_t. This patch
> changes the access_ok() check to use sizeof(*user) which fixes the
> integer overflow and is also more readable.
>
> The "args->buffer_count" variable is an unsigned int as well so it could
> overflow if it's set to UINT_MAX when we do:
>
> exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
> ^^^^^^^^^^^^^^^^^^^^^^
>
> Originally, those two integer overflow checks were against UINT_MAX
> instead of SIZE_MAX and this patch changes them back.
>
> Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: Use sizeof(*users)
Please do consider my alternative.
-Chris
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2] drm/i915: Fix integer overflow tests
2017-08-18 7:46 ` Chris Wilson
@ 2017-08-18 8:01 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2017-08-18 8:01 UTC (permalink / raw)
To: Chris Wilson
Cc: Daniel Vetter, Jason Ekstrand, Jani Nikula, David Airlie,
intel-gfx, dri-devel, kernel-janitors
On Fri, Aug 18, 2017 at 08:46:25AM +0100, Chris Wilson wrote:
> Quoting Dan Carpenter (2017-08-18 08:07:00)
> > There are some potential integer overflows here on 64 bit systems.
> >
> > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > check for now and look a couple lines after:
> >
> > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > ^^^^^^^^^^^
> > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > by two, it's going to have an integer overflow. The multiplication by
> > sizeof(u32) is OK because that gets type promoted to size_t. This patch
> > changes the access_ok() check to use sizeof(*user) which fixes the
> > integer overflow and is also more readable.
> >
> > The "args->buffer_count" variable is an unsigned int as well so it could
> > overflow if it's set to UINT_MAX when we do:
> >
> > exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
> > ^^^^^^^^^^^^^^^^^^^^^^
> >
> > Originally, those two integer overflow checks were against UINT_MAX
> > instead of SIZE_MAX and this patch changes them back.
> >
> > Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: Use sizeof(*users)
>
> Please do consider my alternative.
I don't think you sent the email? I haven't recieved any emails from
you on either my oracle.com address or through the kernel janitors list.
Can you resend?
regards
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-08-18 8:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-17 6:23 [PATCH] drm/i915: Fix integer overflow tests Dan Carpenter
2017-08-17 9:37 ` Imre Deak
2017-08-17 9:50 ` Dan Carpenter
2017-08-17 9:56 ` Imre Deak
2017-08-17 14:16 ` Jason Ekstrand
2017-08-17 14:32 ` Dan Carpenter
2017-08-18 7:07 ` [PATCH v2] " Dan Carpenter
2017-08-18 7:46 ` Chris Wilson
2017-08-18 8:01 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).