From: Daniel Vetter <daniel@ffwll.ch> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: David Airlie <airlied@linux.ie>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Date: Wed, 09 May 2018 08:23:07 +0000 [thread overview] Message-ID: <20180509082307.GS28661@phenom.ffwll.local> (raw) In-Reply-To: <20180509072249.GA12754@mwanda> On Wed, May 09, 2018 at 10:22:49AM +0300, Dan Carpenter wrote: > There is a comment here which says that DIV_ROUND_UP() and that's where > the problem comes from. Say you pick: > > args->bpp = UINT_MAX - 7; > args->width = 4; > args->height = 1; > > The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and > because of how we picked args->width that means cpp < UINT_MAX / 4. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Btw, DIV_ROUND_UP() integer overflows have been a recurring source of > bugs so I have an unreleased static checker warning specific for that. > This line triggers three warnings for me on my unreleased code: > > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: negative user subtract: 0-u32max - 1 > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow from user '(args->bpp) + (8)' > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow in 'DIV_ROUND_UP' > > It's a pretty common idiom in the kernel to overflow and then test for > it later so I'm not able to release this code because of the number of > false positives that this idiom causes... > > diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c > index 39ac15ce4702..45b0b5bbb5f8 100644 > --- a/drivers/gpu/drm/drm_dumb_buffers.c > +++ b/drivers/gpu/drm/drm_dumb_buffers.c > @@ -65,7 +65,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev, > return -EINVAL; > > /* overflow checks for 32bit size calculations */ > - /* NOTE: DIV_ROUND_UP() can overflow */ > + if (args->bpp > UINT_MAX - 8) > + return -EINVAL; > cpp = DIV_ROUND_UP(args->bpp, 8); > if (!cpp || cpp > 0xffffffffU / args->width) The !cpp check is now redundant, this was our minimal overflow check. Note that we only really care for cpp != 0 and that the size calculation doesn't overflow. Userspace specifying a completely bogus bpp value is ok otherwise (reasonable values only go up to about 128). So I think there's no security issue here. Anyway, can you pls respin with the !cpp check removed? See also commit 6a77e80e55cacace60ff03aa717a6d364a401d2b (HEAD -> stuff) Author: Daniel Vetter <daniel.vetter@ffwll.ch> Date: Mon Apr 30 17:04:10 2018 +0200 backlight: remove obsolete comment for ->state for context. Thanks, Daniel > return -EINVAL; > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: David Airlie <airlied@linux.ie>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Date: Wed, 9 May 2018 10:23:07 +0200 [thread overview] Message-ID: <20180509082307.GS28661@phenom.ffwll.local> (raw) In-Reply-To: <20180509072249.GA12754@mwanda> On Wed, May 09, 2018 at 10:22:49AM +0300, Dan Carpenter wrote: > There is a comment here which says that DIV_ROUND_UP() and that's where > the problem comes from. Say you pick: > > args->bpp = UINT_MAX - 7; > args->width = 4; > args->height = 1; > > The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and > because of how we picked args->width that means cpp < UINT_MAX / 4. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Btw, DIV_ROUND_UP() integer overflows have been a recurring source of > bugs so I have an unreleased static checker warning specific for that. > This line triggers three warnings for me on my unreleased code: > > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: negative user subtract: 0-u32max - 1 > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow from user '(args->bpp) + (8)' > drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow in 'DIV_ROUND_UP' > > It's a pretty common idiom in the kernel to overflow and then test for > it later so I'm not able to release this code because of the number of > false positives that this idiom causes... > > diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c > index 39ac15ce4702..45b0b5bbb5f8 100644 > --- a/drivers/gpu/drm/drm_dumb_buffers.c > +++ b/drivers/gpu/drm/drm_dumb_buffers.c > @@ -65,7 +65,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev, > return -EINVAL; > > /* overflow checks for 32bit size calculations */ > - /* NOTE: DIV_ROUND_UP() can overflow */ > + if (args->bpp > UINT_MAX - 8) > + return -EINVAL; > cpp = DIV_ROUND_UP(args->bpp, 8); > if (!cpp || cpp > 0xffffffffU / args->width) The !cpp check is now redundant, this was our minimal overflow check. Note that we only really care for cpp != 0 and that the size calculation doesn't overflow. Userspace specifying a completely bogus bpp value is ok otherwise (reasonable values only go up to about 128). So I think there's no security issue here. Anyway, can you pls respin with the !cpp check removed? See also commit 6a77e80e55cacace60ff03aa717a6d364a401d2b (HEAD -> stuff) Author: Daniel Vetter <daniel.vetter@ffwll.ch> Date: Mon Apr 30 17:04:10 2018 +0200 backlight: remove obsolete comment for ->state for context. Thanks, Daniel > return -EINVAL; > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2018-05-09 8:23 UTC|newest] Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-09 7:22 [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Dan Carpenter 2018-05-09 7:22 ` Dan Carpenter 2018-05-09 8:12 ` [PATCH v2] " Dan Carpenter 2018-05-09 8:12 ` Dan Carpenter 2018-05-09 8:18 ` Chris Wilson 2018-05-09 8:18 ` Chris Wilson 2018-05-09 11:59 ` Dan Carpenter 2018-05-09 11:59 ` Dan Carpenter 2018-05-16 14:00 ` Dan Carpenter 2018-05-16 14:00 ` Dan Carpenter 2018-05-16 14:26 ` Chris Wilson 2018-05-16 14:26 ` Chris Wilson 2018-05-16 14:52 ` Dan Carpenter 2018-05-16 14:52 ` Dan Carpenter 2018-05-16 14:56 ` Chris Wilson 2018-05-16 15:15 ` Dan Carpenter 2018-05-16 15:15 ` Dan Carpenter 2018-05-16 15:25 ` Chris Wilson 2018-05-16 15:41 ` Dan Carpenter 2018-05-16 15:41 ` Dan Carpenter 2018-05-16 15:57 ` Daniel Vetter 2018-05-16 15:57 ` Daniel Vetter 2018-05-09 8:23 ` Daniel Vetter [this message] 2018-05-09 8:23 ` [PATCH] " Daniel Vetter
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180509082307.GS28661@phenom.ffwll.local \ --to=daniel@ffwll.ch \ --cc=airlied@linux.ie \ --cc=dan.carpenter@oracle.com \ --cc=dri-devel@lists.freedesktop.org \ --cc=kernel-janitors@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.