From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966019AbdCYDa5 (ORCPT ); Fri, 24 Mar 2017 23:30:57 -0400 Received: from mail-sn1nam02on0050.outbound.protection.outlook.com ([104.47.36.50]:47039 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752051AbdCYDaw (ORCPT ); Fri, 24 Mar 2017 23:30:52 -0400 Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=vmware.com; Date: Fri, 24 Mar 2017 20:30:39 -0700 From: Sinclair Yeh To: Vladis Dronov CC: VMware Graphics , Thomas Hellstrom , David Airlie , , , Subject: Re: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() Message-ID: <20170325033039.GA62386@syeh-m02> References: <20170324153710.8706-1-vdronov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20170324153710.8706-1-vdronov@redhat.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Originating-IP: [2601:641:c000:bf84:c135:1a3d:5af6:b057] X-ClientProxiedBy: DM5PR17CA0017.namprd17.prod.outlook.com (10.168.112.155) To MWHPR05MB3295.namprd05.prod.outlook.com (10.174.174.158) X-MS-Office365-Filtering-Correlation-Id: 8a15f80b-67eb-4695-dd0a-08d4732f54c8 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131423015)(201703031133021);SRVR:MWHPR05MB3295; X-Microsoft-Exchange-Diagnostics: 1;MWHPR05MB3295;3:0L+jhUG2KqTnY7wP7euORfy9zRox+WjZPWn6Vk9GDi1QaOAc2OFqhk9QJjT+O9V359QJK0jK8zJEwXMSoQ7UQtmF9a7qf0Ljch2yo/btc7i+f3rQ8Y5mp+gg5mfK6b+LQk9iXdxjHbzYUC72+DWmhxT7yqKaYbV42KTl84Y44C44h6tyM9HyQ/5fePtRUrK6XwFSlN0ZW8EzoAqg+W7lUEhwCeFKbidm8yf8yCxO8O696zxebOZ5PV4fuP8Kdp35YLntjKjFhX3ZTgIlzmm8AF5Gdt+awzF1YV/mkxapDbVw608DI94/XZEPtsOQToeojdKKCsm+NZe+y3WEfkww4g==;25:0g4Ri1ud673CylnVJ62ZveWrmnz613oG/4marEkgjPBPM4cJ9LAsrUk/sJfnkT8l6zlJwf308MW5z6t8J4Ok0Z4evkFW9dUcg5P+jZyFHa6PD4P5bhyW9JuaYmd2cse/lVnL76zspJf6+8ER6EpiI0+Mv+WxJYI0ic6AIQzcC+Bw5dutXCbdf3C4qbRGDkeX0foJbZipUA8pPcv/SfM0+PQ7agkBQPbN4Qe6UK2Zg4Z1hl9E+ILHw7fss90R9V8lfcSc8pOzA9HKpr42HAT7mG5FwHOQmZMVh9BuJ+0INodCHvIRrcNYVzc40Pge/ZCIoqgurPoay+oYN/rCMW1YEZg1Dr1vGhL5hrXjkwtPulDQrY0Wt7iGbD6LoDSEwI3RMrNDtDybTLE77WAqPlPNRSzuvBDyszWfdGxUrR6yOzeS3vJa1Uq515ofGRh+kYyOZHnzkUv3hjqk215QsGqsXQ== X-Microsoft-Exchange-Diagnostics: 1;MWHPR05MB3295;31:8RsgKfQV5euxKv9ej5nLxb2Th+JjwuNXzZtPBkjTKzlujDv6cfJEsWKc83cLPmOAtJ0YhW4zwrqzdor/Yc5b/V5AUbcxROQzJ/WsoYuX6MNhumylTm3beV04MOcLgOp4uRwU30g9m+iUdg24SH/X2DewP7twDeWctUsIYnt9+XbjxSpbkJbrjSQ1J2HXaT3t96c9YMsYfWvY5zE9tUIAlFt/fguE0yfTLznvD3RuPTgp6j320a3TQ92TRZw5JK/U;20:khImhU4gXy5FOcAlE7NgD5/fy9fQj9Gl2RfvtI+s9PRslUgkB5hij8SBWWiDVOXtLGd0CzRxixo7Gx87UGSIW7q+21yuWe64gNaFhQ0BlDpe/HgoasSto35egPsZWOnmEEg5p7oLC55cF14owBuAqVkE6IVN0s6/DfsXmm2uwgIyVT9tEfJX24ZyQPGNrGGPXEVSuPSHTQHtxxLEV5F/irdk/FbF57GnkwRmSe+tU/v4COb+ximN4j0R8rC8hongsA6OXS4bzYJ4hxwS9pS5I5UqL7IqxeCEt/xz8dz7vL+s3d7Az/Ymn2tzpRw1Vq7f4wqVrpf5RDOY+qNfx4zU0dWxZoJPLbH8oh/dD2PUvyX/juBWcFP3QDOmGSnt5yN77y4ipYTraMFwgryeAe2HkJgcnDBHGlmHMnL2BA7XeMkBwDrLHGkkDbMdo6Zt2zPibt7CpMUeE403iiifqet04KgLSKusVak92DB/lqHk352zZM/S85hXkjy0hC+jtwrd X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(10436049006162); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040393)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123558025)(20161123555025)(20161123564025)(201703131423018)(201702281528018)(201703061421018)(201703061406018)(20161123562025)(20161123560025)(6072148);SRVR:MWHPR05MB3295;BCL:0;PCL:0;RULEID:;SRVR:MWHPR05MB3295; X-Microsoft-Exchange-Diagnostics: 1;MWHPR05MB3295;4:tBC6Rg4ptlpFZvSduROJG21PAxhaCXdyh9tUwKYJluT2SPkqx9kN9Pu7ghh3o/dhCRkL1Li9Fjve/rqbW0OXKkNuU/OwEmP+c+flw7YTqfSGB8stkBsGL+pT3NOPMTOdibIw5lg3dTNr8sIijspDe8CqW+/wi0ABu70/bR6cvaLnnji1Ff/IX5+MHKFKY4j4xCnLYwgJqmbswu5FvLciJYO+UaTOJwaJFTIbtKebHMQT2VE5t0A2eUHUszoJjiv1HDhSOMer3zNW4zvhHgVcW6mFuv5TMCeGR+ZZU5hSAKX3LmSJ0IXAQPXKzq2U7t+TTe+Y7zlpR2kgQIF6o2/6yPsSEkLFm1K7MSg+NnTRQRBP4Zxta+u/iOpQ9rl6z9vpK5CJb5kooKLGVc/xcQLnGKbGmMcU+IxHTpNl2Ilrbh16BZnfA00XtAjh/snh6MFxylPQurObELgf6RrPoHkzrxJIKqGJUjsTTaHuOxQN2Pjwpn1jSqnEtMBM92EV8txeqUp72+qLnSMteqywHLhY/81tYwD8a9tpbfDuw+8bGZxDaPnkfplZCsNs6SwRuo/nU5TsKETzCL0KGyTvzuphP6zENORwCywVmxTMNOnqrHL/CXIjeL3IAvsJOLKZjecV0JwOaTXkmpW2ZHWUM+JqbnkynodOAoQQ3RmWIWAIPhkAk8xyfJJ8K7gaBpigeREeeYVfP/BFoidvCtyaFJcqGwXYBCmZameEi/9JgkQfi1LgC2v/dAmBkIyPks64r43jLrj53dlxh0ecx1HwO0mi8dAENn1cKsBW7GAjN35S6Zo= X-Forefront-PRVS: 025796F161 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(39840400002)(39410400002)(39850400002)(39450400003)(24454002)(1076002)(229853002)(6246003)(50986999)(305945005)(4001350100001)(33716001)(42186005)(7736002)(345774005)(6666003)(76176999)(54356999)(6916009)(2950100002)(5660300001)(189998001)(25786009)(53936002)(55016002)(47776003)(50466002)(86362001)(54906002)(575784001)(9686003)(46406003)(6306002)(81166006)(23726003)(38730400002)(110136004)(8676002)(6496005)(33656002)(2906002)(6116002)(4326008)(97756001)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:MWHPR05MB3295;H:syeh-m02;FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;MWHPR05MB3295;23:JyXWpYWCwwBPziAbqn/TozyusSTvKCyiGPQb1lb9C?= =?us-ascii?Q?H3LVHaCNcYUIVKprYX4TYJjpZYSL/w4xWC0LN1VmO3JGv3QMbkRjFxH5pyIT?= =?us-ascii?Q?kdORFVGbQw/cKOjPIN2Mp/rN6D0KWUPTKDqo96ANAOBO176O1EZs407DiZq7?= =?us-ascii?Q?gkisqZP5pTOrdlaal2KSS/oczVsQc3H1AF8BdoQbx7DlQZZXB7+R15AGXOeF?= =?us-ascii?Q?w2CE9frxnrKAIT4i8PtdunxLMT9GpycSaviRrhBXEPZKFHmbOqgHZevwYWhJ?= =?us-ascii?Q?3QXvxZvUXglcEoG5GaWuNFE4JUmYE3jtqBnXZmnIUOfD0ggJf43AXr9HVj92?= =?us-ascii?Q?BeLmZHkug/kOAsHOziVkunwFKnEpH5shouH9w1Z4taiBnsiTOegfvEtmPufF?= =?us-ascii?Q?NlSzPgLYkZxUQ4FKslXusb8FZouLf1+WtD0VcvQ47kfCwUL+lgNTBt9CQGO4?= =?us-ascii?Q?YHcbIm+mE21ks6pHGmbelgPJq/BSeGXcxUK9olLM68UfCLXJjewY2SFnBS/R?= =?us-ascii?Q?VkMli/zNPrOxbvNZ4/NN8Xc1ruUxTF+Kgu0j7xFQbf2pSsnZMYSTwJe9PFqN?= =?us-ascii?Q?UuFV7cmL0eaPeycO706tppSFBeSZ8JFlY9cYEenmeSBMQBF7B2fNPv3OL5QM?= =?us-ascii?Q?R14ziZ8LMGH8qhUvCpWMkyTgbvtlzlx+nzEMrzE8AXDDC+iAQW6D5muwRv4h?= =?us-ascii?Q?Ye1WfinmA8oy/ciKDTbXKpb/NEngHwH2bLDZocqzD2toMtCOnmtBDJekvG7D?= =?us-ascii?Q?BCckAdqmLx285S/rBTAEj9T17xSybCQMtzzIlFKob7I5ll/AypJ+wj0tXJ6V?= =?us-ascii?Q?KetU0QUxSS5X6o9pkbKj2TPU/fVOTUFt1a0rMawyiL0ECR1pqt4pCm5nwU/Y?= =?us-ascii?Q?YzCYUHHOo2kYNzujTZ2IA/blyIl8DkVDLL7z6twVaTXByVfQpIdNXfJBIuuq?= =?us-ascii?Q?96sW6Pf3gZsVp4bbqISZic0Qz1gmNG2UdlAhEm4jg6s+NJhuXh4GFV2O5Myj?= =?us-ascii?Q?dW3tQRQgoyTxJ9bu6qDwMr/kTdb614SEuqVjT6PJ9SPhTirrQOBP8SnnvnSC?= =?us-ascii?Q?F2VqO8WGCcebv3UOY/PJC20cmGgVAppjeeaVDMlI3CiT6MDwwe/6WFHT78jd?= =?us-ascii?Q?AgeNyGZN1JKDGWVt7Kmae4Kwzj7bR+ZPMsN+s93YrthO1m3VEUI0VbHKW5Fh?= =?us-ascii?Q?YuQ+79qe4wrPQM=3D?= X-Microsoft-Exchange-Diagnostics: 1;MWHPR05MB3295;6:cAdMo+MFTG2SYsQgkGednSRmOFdYxg13rgx4jRv+N3nXZVfAHiFxL6LP/fCQhUoEpzfNwbBKMiiYj3Y3n+nZBQST0v4HwyPA22EoMbd3B4k/GP7dIsGMpI1jS8D1Xwz/JkP7GwHZ6gpFhteMn6nE49D8mqCvdzdHQ0s8it7N0hQiqiQLuFx+FAyNc/4rwrVBj2LuxdyKiVH9rBkJ1K8fqHShF+MP79Z0Apv9JQ1/IjTo8Xsv05Z4GWZQWx2vaD7Ybfdx/ZPicahlQdZbH/a3QKPgbejwA657JeHt210lC5qM7JgpWw7ohNx51pZkBKChgi6HsGaNJ5/FvAFlP4CjIqOi2YjRCro0f8auXRCtEpoZ/5XxSlIO9hJ8tRzbpqm721FOocxAbHZfaQeRO1ob2A==;5:wB37dWCYz6r2cx1TSEjTp6go5kqEqVKla5fFTD9LlA4W5zaNKS/VVpYJuQ4zthlBIPuClZK3urzyBnuXu2MlHNvyS75yk5u9+TXOMEFcpd49WtpVo8IZQycVtMziovINvhPV+ny9oqAb/89zqqlJjg==;24:e01WGLTgsxRCh3Oq9uaBagg30DPSkaUM0ZQ152dZ3LwWbrm8sEk9Y3aok3EBRb4T5BOENLmfFxtmGZ++cszC84YTDWs86CfqYW/5T81QzGI= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;MWHPR05MB3295;7:A4Jr67V7ydMB9xvDNsXHk3xeH1bpewvZWJ5IqB/StPjabtRZM7lp9ImiDnnD9UWobY0Rd+lL625EqHg7DRRzADPwemp7N/x4qCLo1Ttv7UwVRBA3klH4jNSo4BzWpC6+B4t0VgDM1RG1BVi+uFH6R3stTnq2lnrYMYxtpk9BapJrMV4eM+JdsI2GT368CCl7oMEa5wzFFuic3SDufQnu3EK4LBE2fK9obZzNrDnEBXZi2y2hdOQxSjQ5wo1J9eNKtSehmY+PAe5RjFqaYyGI9PAd0ojArvM8JwEUtEjgiGuMmvVCJ733VwiwgHCej+2KuqengaCNF0+9S9M3lHrYbg==;20:tguvLfQirf9HNYoTKUe7F8IJggE+jgJjAUh42vrdwzS6ZK2cxTok8n4RWlIJriCQ1doYmEr8jDUuucrfiFulX3UDJS9rJ34vIPRIxpFOR9Tzb4fkrqpcOjGxBF2ygePOLaltqHomgMLBY8enoCLgB67MmVs4UhP4euTPCaXX+04= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Mar 2017 03:30:47.7071 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB3295 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, thank you for this patch. Murray McAllister reported this one a couple of months ago, and this is already in our queue. Sinclair On Fri, Mar 24, 2017 at 04:37:10PM +0100, Vladis Dronov wrote: > In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a > user-controlled value which is not checked for zero. It is used in > a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR > is dereferenced which leads to a GPF and possibly to a kernel panic. > Add the check for zero to avoid this. > > Reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1435719&d=DwIBAg&c=uilaK90D4TOVoH58JNXRgQ&r=HaJ2a6NYExoV0cntAYcoqA&m=OW9cIAAez9eRIxEYMaToDu2szuR_YrfQcOzAH6L8dXo&s=-3P2pG3n1YW6-8NG6mLC7kyxmx7mMxJmXgY79ZgQeo4&e= > Signed-off-by: Vladis Dronov > --- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > index b445ce9..42840cc 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > @@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, > for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) > num_sizes += req->mip_levels[i]; > > - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * > - DRM_VMW_MAX_MIP_LEVELS) > + if (num_sizes <= 0 || > + num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) > return -EINVAL; > > size = vmw_user_surface_size + 128 + > -- > 2.9.3 > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sinclair Yeh Subject: Re: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() Date: Fri, 24 Mar 2017 20:30:39 -0700 Message-ID: <20170325033039.GA62386@syeh-m02> References: <20170324153710.8706-1-vdronov@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Return-path: Content-Disposition: inline In-Reply-To: <20170324153710.8706-1-vdronov@redhat.com> Sender: linux-kernel-owner@vger.kernel.org To: Vladis Dronov Cc: VMware Graphics , Thomas Hellstrom , David Airlie , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, murray.mcallister@insomniasec.com List-Id: dri-devel@lists.freedesktop.org Hi, thank you for this patch. Murray McAllister reported this one a couple of months ago, and this is already in our queue. Sinclair On Fri, Mar 24, 2017 at 04:37:10PM +0100, Vladis Dronov wrote: > In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a > user-controlled value which is not checked for zero. It is used in > a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR > is dereferenced which leads to a GPF and possibly to a kernel panic. > Add the check for zero to avoid this. > > Reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1435719&d=DwIBAg&c=uilaK90D4TOVoH58JNXRgQ&r=HaJ2a6NYExoV0cntAYcoqA&m=OW9cIAAez9eRIxEYMaToDu2szuR_YrfQcOzAH6L8dXo&s=-3P2pG3n1YW6-8NG6mLC7kyxmx7mMxJmXgY79ZgQeo4&e= > Signed-off-by: Vladis Dronov > --- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > index b445ce9..42840cc 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > @@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, > for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) > num_sizes += req->mip_levels[i]; > > - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * > - DRM_VMW_MAX_MIP_LEVELS) > + if (num_sizes <= 0 || > + num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) > return -EINVAL; > > size = vmw_user_surface_size + 128 + > -- > 2.9.3 >