From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Vetter Subject: [PATCH] drm: Limit to INT_MAX in create_blob ioctl Date: Wed, 6 Nov 2019 17:47:55 +0100 Message-ID: <20191106164755.31478-1-daniel.vetter@ffwll.ch> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Sender: linux-kernel-owner@vger.kernel.org To: DRI Development Cc: LKML , Daniel Vetter , syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com, Kees Cook , Alexander Viro , Andrew Morton , Stephen Rothwell , Daniel Vetter List-Id: dri-devel@lists.freedesktop.org The hardened usercpy code is too paranoid ever since: commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe Author: Kees Cook Date: Wed Nov 6 16:07:01 2019 +1100 uaccess: disallow > INT_MAX copy sizes Code itself should have been fine as-is. Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") Cc: Kees Cook Cc: Alexander Viro Cc: Andrew Morton Cc: Stephen Rothwell Signed-off-by: Daniel Vetter -- Kees/Andrew, Since this is -mm can I have a stable sha1 or something for referencing? Or do you want to include this in the -mm patch bomb for the merge window? -Daniel --- drivers/gpu/drm/drm_property.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c index 892ce636ef72..6ee04803c362 100644 --- a/drivers/gpu/drm/drm_property.c +++ b/drivers/gpu/drm/drm_property.c @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, struct drm_property_blob *blob; int ret; - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) return ERR_PTR(-EINVAL); blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); -- 2.24.0.rc2 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14662C5DF63 for ; Wed, 6 Nov 2019 16:48:05 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D6056217F5 for ; Wed, 6 Nov 2019 16:48:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D6056217F5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 544856E27A; Wed, 6 Nov 2019 16:48:04 +0000 (UTC) Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) by gabe.freedesktop.org (Postfix) with ESMTPS id 56EA76E27A for ; Wed, 6 Nov 2019 16:48:03 +0000 (UTC) Received: by mail-wr1-x444.google.com with SMTP id p2so1481858wro.2 for ; Wed, 06 Nov 2019 08:48:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qsQf+1m23+jsDxNB5IS6XnKaQp9Ng9lV2UMQAWB4LKw=; b=iAbFrNqv/pX4+Qx4++n/OCB+mNVO2bhx1Itdbr0PZCqI8csJW99d0+VmjON/WgB1BY c91d+yseX6RtJxmy5MPXNHeIqZ09ty7FfOWsSwSpb/5oJYKiTISsG6femPCW6vf1/ocy X4SyHCqY5CcPE3RYjfRMdmjj9YcVTYHR7yqVU/2F39iiIvA6BXi9MspSGb0VfRjubrVW 0r+kxi/Y6k3LW7jFyHfENQjXNahOzwuHK61XXduaqGgxTkhc6oGzQYsLaYaPyjPwok7A 6IjC0CFvPISWa8c6eVMKq9KHJrOeTmgejTxp3iY8cPe65ar/k5kr9GyearKDv7PrBJYc u1NA== X-Gm-Message-State: APjAAAWC1p3wh8o9nqbpvKgSXKf2EbpK5arU3V6Wzi2zQalSxTFV21MF jk4ufmlQglPsnY5cFk5l8wKWgu6VvXw= X-Google-Smtp-Source: APXvYqzGy3n/IVXtHdPDD+4tIgpqH4phKgxw3vXsnxKnjEcXZQRREIZ7Z3grAjzpRiN/nIjVtv+L4Q== X-Received: by 2002:a5d:678f:: with SMTP id v15mr2521944wru.242.1573058881709; Wed, 06 Nov 2019 08:48:01 -0800 (PST) Received: from phenom.ffwll.local (212-51-149-96.fiber7.init7.net. [212.51.149.96]) by smtp.gmail.com with ESMTPSA id p4sm16694187wrx.71.2019.11.06.08.48.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Nov 2019 08:48:01 -0800 (PST) From: Daniel Vetter To: DRI Development Subject: [PATCH] drm: Limit to INT_MAX in create_blob ioctl Date: Wed, 6 Nov 2019 17:47:55 +0100 Message-Id: <20191106164755.31478-1-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 2.24.0.rc2 MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qsQf+1m23+jsDxNB5IS6XnKaQp9Ng9lV2UMQAWB4LKw=; b=TDfF3VN9GaeQ/u0sLLvRvovI5BAhrbb/MI7b7LHt4gu3mjqLxSEwVXmdM5bBA4L5tQ g7XAIkJ7IQJfMDsIjivw9DRrqHmIoKbtWxjFhIrjhkqMI0UtiiE0xFVyLu6hxlA53eZG y674F5ysqw5/BF1d6i0Fu8yX3hTWMgSLluQXM= X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stephen Rothwell , syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com, Kees Cook , Daniel Vetter , LKML , Alexander Viro , Daniel Vetter , Andrew Morton Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Message-ID: <20191106164755.sBGqHBlILTL2J8Iv6dT0mzbYaCc74maxucJ95ftN9Iw@z> VGhlIGhhcmRlbmVkIHVzZXJjcHkgY29kZSBpcyB0b28gcGFyYW5vaWQgZXZlciBzaW5jZToKCmNv bW1pdCA2YTMwYWZhOGMxZmJkZTVmMTBmOWM1ODRjMjk5MmFhM2M3ZjdhOGZlCkF1dGhvcjogS2Vl cyBDb29rIDxrZWVzY29va0BjaHJvbWl1bS5vcmc+CkRhdGU6ICAgV2VkIE5vdiA2IDE2OjA3OjAx IDIwMTkgKzExMDAKCiAgICB1YWNjZXNzOiBkaXNhbGxvdyA+IElOVF9NQVggY29weSBzaXplcwoK Q29kZSBpdHNlbGYgc2hvdWxkIGhhdmUgYmVlbiBmaW5lIGFzLWlzLgoKUmVwb3J0ZWQtYnk6IHN5 emJvdCtmYjc3ZTk3ZWJmMDYxMmVlNjkxNEBzeXprYWxsZXIuYXBwc3BvdG1haWwuY29tCkZpeGVz OiA2YTMwYWZhOGMxZmIgKCJ1YWNjZXNzOiBkaXNhbGxvdyA+IElOVF9NQVggY29weSBzaXplcyIp CkNjOiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KQ2M6IEFsZXhhbmRlciBWaXJv IDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KQ2M6IEFuZHJldyBNb3J0b24gPGFrcG1AbGludXgt Zm91bmRhdGlvbi5vcmc+CkNjOiBTdGVwaGVuIFJvdGh3ZWxsIDxzZnJAY2FuYi5hdXVnLm9yZy5h dT4KU2lnbmVkLW9mZi1ieTogRGFuaWVsIFZldHRlciA8ZGFuaWVsLnZldHRlckBpbnRlbC5jb20+ Ci0tCktlZXMvQW5kcmV3LAoKU2luY2UgdGhpcyBpcyAtbW0gY2FuIEkgaGF2ZSBhIHN0YWJsZSBz aGExIG9yIHNvbWV0aGluZyBmb3IKcmVmZXJlbmNpbmc/IE9yIGRvIHlvdSB3YW50IHRvIGluY2x1 ZGUgdGhpcyBpbiB0aGUgLW1tIHBhdGNoIGJvbWIgZm9yCnRoZSBtZXJnZSB3aW5kb3c/Ci1EYW5p ZWwKLS0tCiBkcml2ZXJzL2dwdS9kcm0vZHJtX3Byb3BlcnR5LmMgfCAyICstCiAxIGZpbGUgY2hh bmdlZCwgMSBpbnNlcnRpb24oKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJz L2dwdS9kcm0vZHJtX3Byb3BlcnR5LmMgYi9kcml2ZXJzL2dwdS9kcm0vZHJtX3Byb3BlcnR5LmMK aW5kZXggODkyY2U2MzZlZjcyLi42ZWUwNDgwM2MzNjIgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1 L2RybS9kcm1fcHJvcGVydHkuYworKysgYi9kcml2ZXJzL2dwdS9kcm0vZHJtX3Byb3BlcnR5LmMK QEAgLTU2MSw3ICs1NjEsNyBAQCBkcm1fcHJvcGVydHlfY3JlYXRlX2Jsb2Ioc3RydWN0IGRybV9k ZXZpY2UgKmRldiwgc2l6ZV90IGxlbmd0aCwKIAlzdHJ1Y3QgZHJtX3Byb3BlcnR5X2Jsb2IgKmJs b2I7CiAJaW50IHJldDsKIAotCWlmICghbGVuZ3RoIHx8IGxlbmd0aCA+IFVMT05HX01BWCAtIHNp emVvZihzdHJ1Y3QgZHJtX3Byb3BlcnR5X2Jsb2IpKQorCWlmICghbGVuZ3RoIHx8IGxlbmd0aCA+ IElOVF9NQVggLSBzaXplb2Yoc3RydWN0IGRybV9wcm9wZXJ0eV9ibG9iKSkKIAkJcmV0dXJuIEVS Ul9QVFIoLUVJTlZBTCk7CiAKIAlibG9iID0ga3Z6YWxsb2Moc2l6ZW9mKHN0cnVjdCBkcm1fcHJv cGVydHlfYmxvYikrbGVuZ3RoLCBHRlBfS0VSTkVMKTsKLS0gCjIuMjQuMC5yYzIKCl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5n IGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVk ZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbA==