[PATCH] drm/etnaviv: limit submit sizes

[PATCH] drm/etnaviv: limit submit sizes

[Lucas Stach]

Currently we allow rediculous ammounts of kernel memory being allocated
via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put
some reasonable limits in to fix this.

The commandstream size is limited to 64KB, which was already a soft limit
on older kernels after which the kernel only took submits on a best effort
base, so there is no userspace that tries to submit commandstreams larger
than this. Even if the whole commandstream is a single incrementing address
load, the size limit also limits the number of potential relocs and
referenced buffers to slightly under 64K, so use the same limit for those
arguments. The performance monitoring infrastructure currently supports
less than 50 performance counter signals, so limiting them to 128 on a
single submit seems like a reasonably future-proof number for now. This
number can be bumped if needed without breaking the interface.

Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
---
 drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
index 486259e154af..225fa5879ebd 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
@@ -469,6 +469,12 @@ int etnaviv_ioctl_gem_submit(struct drm_device *dev, void *data,
 		return -EINVAL;
 	}
 
+	if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K ||
+	    args->nr_bos > SZ_64K || args->nr_pmrs > 128) {
+		DRM_ERROR("submit arguments out of size limits\n");
+		return -EINVAL;
+	}
+
 	/*
 	 * Copy the command submission and bo array to kernel space in
 	 * one go, and do this outside of any locks.
-- 
2.30.2

Re: [PATCH] drm/etnaviv: limit submit sizes

[Christian Gmeiner]

Am Fr., 17. Dez. 2021 um 11:59 Uhr schrieb Lucas Stach <l.stach@pengutronix.de>:
>
> Currently we allow rediculous ammounts of kernel memory being allocated
> via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put
> some reasonable limits in to fix this.
>
> The commandstream size is limited to 64KB, which was already a soft limit
> on older kernels after which the kernel only took submits on a best effort
> base, so there is no userspace that tries to submit commandstreams larger
> than this. Even if the whole commandstream is a single incrementing address
> load, the size limit also limits the number of potential relocs and
> referenced buffers to slightly under 64K, so use the same limit for those
> arguments. The performance monitoring infrastructure currently supports
> less than 50 performance counter signals, so limiting them to 128 on a
> single submit seems like a reasonably future-proof number for now. This
> number can be bumped if needed without breaking the interface.
>
> Cc: stable@vger.kernel.org
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Lucas Stach <l.stach@pengutronix.de>

Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>

-- 
greets
--
Christian Gmeiner, MSc

https://christian-gmeiner.info/privacypolicy