* [PATCH] drm: Limit to INT_MAX in create_blob ioctl
@ 2019-11-06 16:47 Daniel Vetter
2019-11-06 16:47 ` Daniel Vetter
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Daniel Vetter @ 2019-11-06 16:47 UTC (permalink / raw)
To: DRI Development
Cc: LKML, Daniel Vetter, syzbot+fb77e97ebf0612ee6914, Kees Cook,
Alexander Viro, Andrew Morton, Stephen Rothwell, Daniel Vetter
The hardened usercpy code is too paranoid ever since:
commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
Author: Kees Cook <keescook@chromium.org>
Date: Wed Nov 6 16:07:01 2019 +1100
uaccess: disallow > INT_MAX copy sizes
Code itself should have been fine as-is.
Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
--
Kees/Andrew,
Since this is -mm can I have a stable sha1 or something for
referencing? Or do you want to include this in the -mm patch bomb for
the merge window?
-Daniel
---
drivers/gpu/drm/drm_property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 892ce636ef72..6ee04803c362 100644
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
struct drm_property_blob *blob;
int ret;
- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
+ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
return ERR_PTR(-EINVAL);
blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
--
2.24.0.rc2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter
@ 2019-11-06 16:47 ` Daniel Vetter
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:24 ` Kees Cook
2 siblings, 0 replies; 10+ messages in thread
From: Daniel Vetter @ 2019-11-06 16:47 UTC (permalink / raw)
To: DRI Development
Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Kees Cook,
Daniel Vetter, LKML, Alexander Viro, Daniel Vetter,
Andrew Morton
The hardened usercpy code is too paranoid ever since:
commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
Author: Kees Cook <keescook@chromium.org>
Date: Wed Nov 6 16:07:01 2019 +1100
uaccess: disallow > INT_MAX copy sizes
Code itself should have been fine as-is.
Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
--
Kees/Andrew,
Since this is -mm can I have a stable sha1 or something for
referencing? Or do you want to include this in the -mm patch bomb for
the merge window?
-Daniel
---
drivers/gpu/drm/drm_property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 892ce636ef72..6ee04803c362 100644
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
struct drm_property_blob *blob;
int ret;
- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
+ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
return ERR_PTR(-EINVAL);
blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
--
2.24.0.rc2
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter
2019-11-06 16:47 ` Daniel Vetter
@ 2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:24 ` Kees Cook
2 siblings, 1 reply; 10+ messages in thread
From: Ville Syrjälä @ 2019-11-06 17:03 UTC (permalink / raw)
To: Daniel Vetter
Cc: DRI Development, Stephen Rothwell, syzbot+fb77e97ebf0612ee6914,
Kees Cook, LKML, Alexander Viro, Daniel Vetter, Andrew Morton
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
INT_MAX should be more than enough.
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Ville Syrjälä
Intel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 17:03 ` Ville Syrjälä
@ 2019-11-06 17:03 ` Ville Syrjälä
0 siblings, 0 replies; 10+ messages in thread
From: Ville Syrjälä @ 2019-11-06 17:03 UTC (permalink / raw)
To: Daniel Vetter
Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Kees Cook, LKML,
DRI Development, Alexander Viro, Daniel Vetter, Andrew Morton
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
INT_MAX should be more than enough.
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Ville Syrjälä
Intel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter
2019-11-06 16:47 ` Daniel Vetter
2019-11-06 17:03 ` Ville Syrjälä
@ 2019-11-06 17:24 ` Kees Cook
2019-11-06 17:24 ` Kees Cook
` (2 more replies)
2 siblings, 3 replies; 10+ messages in thread
From: Kees Cook @ 2019-11-06 17:24 UTC (permalink / raw)
To: Daniel Vetter
Cc: DRI Development, LKML, syzbot+fb77e97ebf0612ee6914,
Alexander Viro, Andrew Morton, Stephen Rothwell, Daniel Vetter
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
I had to go read the syzbot report to understand what was actually being
fixed here. Can you be a bit more verbose in this commit log? It sounds
like huge usercopy sizes were allowed by drm (though I guess they would
fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
What was the prior failure mode that made the existing ULONG_MAX check
safe? Your patch looks fine, though:
Reviewed-by: Kees Cook <keescook@chromium.org>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
Traditionally these things live in akpm's tree when they are fixes for
patches in there. I have no idea how the Fixes tags work in that case,
though...
-Kees
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 17:24 ` Kees Cook
@ 2019-11-06 17:24 ` Kees Cook
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 18:13 ` Andrew Morton
2 siblings, 0 replies; 10+ messages in thread
From: Kees Cook @ 2019-11-06 17:24 UTC (permalink / raw)
To: Daniel Vetter
Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, LKML,
DRI Development, Alexander Viro, Daniel Vetter, Andrew Morton
On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@chromium.org>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
I had to go read the syzbot report to understand what was actually being
fixed here. Can you be a bit more verbose in this commit log? It sounds
like huge usercopy sizes were allowed by drm (though I guess they would
fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
What was the prior failure mode that made the existing ULONG_MAX check
safe? Your patch looks fine, though:
Reviewed-by: Kees Cook <keescook@chromium.org>
> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
Traditionally these things live in akpm's tree when they are fixes for
patches in there. I have no idea how the Fixes tags work in that case,
though...
-Kees
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
--
Kees Cook
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:24 ` Kees Cook
@ 2019-11-06 17:56 ` Daniel Vetter
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 18:13 ` Andrew Morton
2 siblings, 1 reply; 10+ messages in thread
From: Daniel Vetter @ 2019-11-06 17:56 UTC (permalink / raw)
To: Kees Cook
Cc: DRI Development, LKML, syzbot, Alexander Viro, Andrew Morton,
Stephen Rothwell, Daniel Vetter
On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> > The hardened usercpy code is too paranoid ever since:
> >
> > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> > Author: Kees Cook <keescook@chromium.org>
> > Date: Wed Nov 6 16:07:01 2019 +1100
> >
> > uaccess: disallow > INT_MAX copy sizes
> >
> > Code itself should have been fine as-is.
>
> I had to go read the syzbot report to understand what was actually being
> fixed here. Can you be a bit more verbose in this commit log? It sounds
> like huge usercopy sizes were allowed by drm (though I guess they would
> fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
> would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
The WARNING seems to have been the only bad effect. I guess in
practice the real big stuff fails at memory allocation time, but
shouldn't overflow. Or maybe I still don't get how this C thing works.
Anyway I figured the cited patch is good enough, userptr copies >
INT_MAX aren't allowed anymore, so we need to adjust our overflow
checks.
-Daniel
> What was the prior failure mode that made the existing ULONG_MAX check
> safe? Your patch looks fine, though:
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
> > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> > --
> > Kees/Andrew,
> >
> > Since this is -mm can I have a stable sha1 or something for
> > referencing? Or do you want to include this in the -mm patch bomb for
> > the merge window?
>
> Traditionally these things live in akpm's tree when they are fixes for
> patches in there. I have no idea how the Fixes tags work in that case,
> though...
>
> -Kees
>
> > -Daniel
> > ---
> > drivers/gpu/drm/drm_property.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> > index 892ce636ef72..6ee04803c362 100644
> > --- a/drivers/gpu/drm/drm_property.c
> > +++ b/drivers/gpu/drm/drm_property.c
> > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> > struct drm_property_blob *blob;
> > int ret;
> >
> > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> > return ERR_PTR(-EINVAL);
> >
> > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> > --
> > 2.24.0.rc2
> >
>
> --
> Kees Cook
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 17:56 ` Daniel Vetter
@ 2019-11-06 17:56 ` Daniel Vetter
0 siblings, 0 replies; 10+ messages in thread
From: Daniel Vetter @ 2019-11-06 17:56 UTC (permalink / raw)
To: Kees Cook
Cc: Stephen Rothwell, syzbot, LKML, DRI Development, Alexander Viro,
Daniel Vetter, Andrew Morton
On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> > The hardened usercpy code is too paranoid ever since:
> >
> > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> > Author: Kees Cook <keescook@chromium.org>
> > Date: Wed Nov 6 16:07:01 2019 +1100
> >
> > uaccess: disallow > INT_MAX copy sizes
> >
> > Code itself should have been fine as-is.
>
> I had to go read the syzbot report to understand what was actually being
> fixed here. Can you be a bit more verbose in this commit log? It sounds
> like huge usercopy sizes were allowed by drm (though I guess they would
> fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
> would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?
The WARNING seems to have been the only bad effect. I guess in
practice the real big stuff fails at memory allocation time, but
shouldn't overflow. Or maybe I still don't get how this C thing works.
Anyway I figured the cited patch is good enough, userptr copies >
INT_MAX aren't allowed anymore, so we need to adjust our overflow
checks.
-Daniel
> What was the prior failure mode that made the existing ULONG_MAX check
> safe? Your patch looks fine, though:
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
> > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
> > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> > --
> > Kees/Andrew,
> >
> > Since this is -mm can I have a stable sha1 or something for
> > referencing? Or do you want to include this in the -mm patch bomb for
> > the merge window?
>
> Traditionally these things live in akpm's tree when they are fixes for
> patches in there. I have no idea how the Fixes tags work in that case,
> though...
>
> -Kees
>
> > -Daniel
> > ---
> > drivers/gpu/drm/drm_property.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> > index 892ce636ef72..6ee04803c362 100644
> > --- a/drivers/gpu/drm/drm_property.c
> > +++ b/drivers/gpu/drm/drm_property.c
> > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> > struct drm_property_blob *blob;
> > int ret;
> >
> > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> > return ERR_PTR(-EINVAL);
> >
> > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> > --
> > 2.24.0.rc2
> >
>
> --
> Kees Cook
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:56 ` Daniel Vetter
@ 2019-11-06 18:13 ` Andrew Morton
2019-11-06 18:13 ` Andrew Morton
2 siblings, 1 reply; 10+ messages in thread
From: Andrew Morton @ 2019-11-06 18:13 UTC (permalink / raw)
To: Kees Cook
Cc: Daniel Vetter, DRI Development, LKML,
syzbot+fb77e97ebf0612ee6914, Alexander Viro, Stephen Rothwell,
Daniel Vetter
On Wed, 6 Nov 2019 09:24:18 -0800 Kees Cook <keescook@chromium.org> wrote:
> > Since this is -mm can I have a stable sha1 or something for
> > referencing? Or do you want to include this in the -mm patch bomb for
> > the merge window?
>
> Traditionally these things live in akpm's tree when they are fixes for
> patches in there. I have no idea how the Fixes tags work in that case,
> though...
I queued it immediately ahead of
uaccess-disallow-int_max-copy-sizes.patch so all should be good,
thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl
2019-11-06 18:13 ` Andrew Morton
@ 2019-11-06 18:13 ` Andrew Morton
0 siblings, 0 replies; 10+ messages in thread
From: Andrew Morton @ 2019-11-06 18:13 UTC (permalink / raw)
To: Kees Cook
Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Daniel Vetter,
LKML, DRI Development, Alexander Viro, Daniel Vetter
On Wed, 6 Nov 2019 09:24:18 -0800 Kees Cook <keescook@chromium.org> wrote:
> > Since this is -mm can I have a stable sha1 or something for
> > referencing? Or do you want to include this in the -mm patch bomb for
> > the merge window?
>
> Traditionally these things live in akpm's tree when they are fixes for
> patches in there. I have no idea how the Fixes tags work in that case,
> though...
I queued it immediately ahead of
uaccess-disallow-int_max-copy-sizes.patch so all should be good,
thanks.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-11-06 18:13 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter
2019-11-06 16:47 ` Daniel Vetter
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:03 ` Ville Syrjälä
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:24 ` Kees Cook
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 17:56 ` Daniel Vetter
2019-11-06 18:13 ` Andrew Morton
2019-11-06 18:13 ` Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).