From: Daniel Vetter <daniel.vetter@ffwll.ch> To: Kees Cook <keescook@chromium.org> Cc: DRI Development <dri-devel@lists.freedesktop.org>, LKML <linux-kernel@vger.kernel.org>, syzbot <syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com>, Alexander Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Stephen Rothwell <sfr@canb.auug.org.au>, Daniel Vetter <daniel.vetter@intel.com> Subject: Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl Date: Wed, 6 Nov 2019 18:56:12 +0100 [thread overview] Message-ID: <CAKMK7uGq5o+jj-YigTomfx2XEHh5eUjnKD70Trkc6opZOViUHg@mail.gmail.com> (raw) In-Reply-To: <201911060920.71D7E76E@keescook> On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > > The hardened usercpy code is too paranoid ever since: > > > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > > Author: Kees Cook <keescook@chromium.org> > > Date: Wed Nov 6 16:07:01 2019 +1100 > > > > uaccess: disallow > INT_MAX copy sizes > > > > Code itself should have been fine as-is. > > I had to go read the syzbot report to understand what was actually being > fixed here. Can you be a bit more verbose in this commit log? It sounds > like huge usercopy sizes were allowed by drm (though I guess they would > fail gracefully in some other way?) but after 6a30afa8c1fb, the copy > would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? The WARNING seems to have been the only bad effect. I guess in practice the real big stuff fails at memory allocation time, but shouldn't overflow. Or maybe I still don't get how this C thing works. Anyway I figured the cited patch is good enough, userptr copies > INT_MAX aren't allowed anymore, so we need to adjust our overflow checks. -Daniel > What was the prior failure mode that made the existing ULONG_MAX check > safe? Your patch looks fine, though: > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > > Cc: Kees Cook <keescook@chromium.org> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > -- > > Kees/Andrew, > > > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... > > -Kees > > > -Daniel > > --- > > drivers/gpu/drm/drm_property.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > > index 892ce636ef72..6ee04803c362 100644 > > --- a/drivers/gpu/drm/drm_property.c > > +++ b/drivers/gpu/drm/drm_property.c > > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > > struct drm_property_blob *blob; > > int ret; > > > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > > return ERR_PTR(-EINVAL); > > > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > > -- > > 2.24.0.rc2 > > > > -- > Kees Cook -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel.vetter@ffwll.ch> To: Kees Cook <keescook@chromium.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au>, syzbot <syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com>, LKML <linux-kernel@vger.kernel.org>, DRI Development <dri-devel@lists.freedesktop.org>, Alexander Viro <viro@zeniv.linux.org.uk>, Daniel Vetter <daniel.vetter@intel.com>, Andrew Morton <akpm@linux-foundation.org> Subject: Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl Date: Wed, 6 Nov 2019 18:56:12 +0100 [thread overview] Message-ID: <CAKMK7uGq5o+jj-YigTomfx2XEHh5eUjnKD70Trkc6opZOViUHg@mail.gmail.com> (raw) Message-ID: <20191106175612.bAiKNRVXhmd_IuJn7qhegiI2jbTxZVm0ictnlWnPZyM@z> (raw) In-Reply-To: <201911060920.71D7E76E@keescook> On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > > The hardened usercpy code is too paranoid ever since: > > > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > > Author: Kees Cook <keescook@chromium.org> > > Date: Wed Nov 6 16:07:01 2019 +1100 > > > > uaccess: disallow > INT_MAX copy sizes > > > > Code itself should have been fine as-is. > > I had to go read the syzbot report to understand what was actually being > fixed here. Can you be a bit more verbose in this commit log? It sounds > like huge usercopy sizes were allowed by drm (though I guess they would > fail gracefully in some other way?) but after 6a30afa8c1fb, the copy > would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? The WARNING seems to have been the only bad effect. I guess in practice the real big stuff fails at memory allocation time, but shouldn't overflow. Or maybe I still don't get how this C thing works. Anyway I figured the cited patch is good enough, userptr copies > INT_MAX aren't allowed anymore, so we need to adjust our overflow checks. -Daniel > What was the prior failure mode that made the existing ULONG_MAX check > safe? Your patch looks fine, though: > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > > Cc: Kees Cook <keescook@chromium.org> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > -- > > Kees/Andrew, > > > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... > > -Kees > > > -Daniel > > --- > > drivers/gpu/drm/drm_property.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > > index 892ce636ef72..6ee04803c362 100644 > > --- a/drivers/gpu/drm/drm_property.c > > +++ b/drivers/gpu/drm/drm_property.c > > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > > struct drm_property_blob *blob; > > int ret; > > > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > > return ERR_PTR(-EINVAL); > > > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > > -- > > 2.24.0.rc2 > > > > -- > Kees Cook -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2019-11-06 17:56 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter 2019-11-06 16:47 ` Daniel Vetter 2019-11-06 17:03 ` Ville Syrjälä 2019-11-06 17:03 ` Ville Syrjälä 2019-11-06 17:24 ` Kees Cook 2019-11-06 17:24 ` Kees Cook 2019-11-06 17:56 ` Daniel Vetter [this message] 2019-11-06 17:56 ` Daniel Vetter 2019-11-06 18:13 ` Andrew Morton 2019-11-06 18:13 ` Andrew Morton
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAKMK7uGq5o+jj-YigTomfx2XEHh5eUjnKD70Trkc6opZOViUHg@mail.gmail.com \ --to=daniel.vetter@ffwll.ch \ --cc=akpm@linux-foundation.org \ --cc=daniel.vetter@intel.com \ --cc=dri-devel@lists.freedesktop.org \ --cc=keescook@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=sfr@canb.auug.org.au \ --cc=syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).