From: Kees Cook <keescook@chromium.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: DRI Development <dri-devel@lists.freedesktop.org>,
LKML <linux-kernel@vger.kernel.org>,
syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Daniel Vetter <daniel.vetter@intel.com>
Subject: Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
Date: Wed, 6 Nov 2019 09:24:18 -0800 [thread overview]
Message-ID: <201911060920.71D7E76E@keescook> (raw)
In-Reply-To: <20191106164755.31478-1-daniel.vetter@ffwll.ch>
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
I had to go read the syzbot report to understand what was actually being
fixed here. Can you be a bit more verbose in this commit log? It sounds
like huge usercopy sizes were allowed by drm (though I guess they would
fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
What was the prior failure mode that made the existing ULONG_MAX check
safe? Your patch looks fine, though:
Reviewed-by: Kees Cook <keescook@chromium.org>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
Traditionally these things live in akpm's tree when they are fixes for
patches in there. I have no idea how the Fixes tags work in that case,
though...
-Kees
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>,
syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com,
LKML <linux-kernel@vger.kernel.org>,
DRI Development <dri-devel@lists.freedesktop.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Daniel Vetter <daniel.vetter@intel.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
Date: Wed, 6 Nov 2019 09:24:18 -0800 [thread overview]
Message-ID: <201911060920.71D7E76E@keescook> (raw)
Message-ID: <20191106172418.AGbn1V8gCG2Et5RcMF3-ru8_YGNURaIM_lng6qapTJc@z> (raw)
In-Reply-To: <20191106164755.31478-1-daniel.vetter@ffwll.ch>
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
I had to go read the syzbot report to understand what was actually being
fixed here. Can you be a bit more verbose in this commit log? It sounds
like huge usercopy sizes were allowed by drm (though I guess they would
fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
What was the prior failure mode that made the existing ULONG_MAX check
safe? Your patch looks fine, though:
Reviewed-by: Kees Cook <keescook@chromium.org>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
Traditionally these things live in akpm's tree when they are fixes for
patches in there. I have no idea how the Fixes tags work in that case,
though...
-Kees
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
--
Kees Cook
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2019-11-06 17:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter
2019-11-06 16:47 ` Daniel Vetter
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:24 ` Kees Cook [this message]
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 18:13 ` Andrew Morton
2019-11-06 18:13 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201911060920.71D7E76E@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.