* [PATCH] drm/i915: prevent integer overflow in query_engine_info()
@ 2022-09-01 15:38 Dan Carpenter
2022-09-01 17:14 ` [Intel-gfx] " Andrzej Hajda
2022-09-06 9:27 ` Tvrtko Ursulin
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2022-09-01 15:38 UTC (permalink / raw)
To: Jani Nikula, Gustavo A. R. Silva
Cc: Joonas Lahtinen, Rodrigo Vivi, Tvrtko Ursulin, David Airlie,
Daniel Vetter, Chris Wilson, intel-gfx, dri-devel,
kernel-janitors
This code uses struct_size() but it stores the result in an int so the
integer overflow checks are not effective. Record the types as size_t
to prevent the size from being truncated.
Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I do not know if the integer overflow can happen. This is a hardenning
patch just like the conversion to struct_size().
drivers/gpu/drm/i915/i915_query.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6ec9c9fb7b0d..43a499fbdc8d 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -13,7 +13,7 @@
#include <uapi/drm/i915_drm.h>
static int copy_query_item(void *query_hdr, size_t query_sz,
- u32 total_length,
+ size_t total_length,
struct drm_i915_query_item *query_item)
{
if (query_item->length == 0)
@@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
struct drm_i915_engine_info info = { };
unsigned int num_uabi_engines = 0;
struct intel_engine_cs *engine;
- int len, ret;
+ size_t len;
+ int ret;
if (query_item->flags)
return -EINVAL;
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: prevent integer overflow in query_engine_info()
2022-09-01 15:38 [PATCH] drm/i915: prevent integer overflow in query_engine_info() Dan Carpenter
@ 2022-09-01 17:14 ` Andrzej Hajda
2022-09-06 9:27 ` Tvrtko Ursulin
1 sibling, 0 replies; 3+ messages in thread
From: Andrzej Hajda @ 2022-09-01 17:14 UTC (permalink / raw)
To: Dan Carpenter, Jani Nikula, Gustavo A. R. Silva
Cc: David Airlie, intel-gfx, kernel-janitors, dri-devel,
Chris Wilson, Daniel Vetter, Rodrigo Vivi
On 01.09.2022 17:38, Dan Carpenter wrote:
> This code uses struct_size() but it stores the result in an int so the
> integer overflow checks are not effective. Record the types as size_t
> to prevent the size from being truncated.
>
> Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
Regards
Andrzej
> ---
> I do not know if the integer overflow can happen. This is a hardenning
> patch just like the conversion to struct_size().
>
> drivers/gpu/drm/i915/i915_query.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
> index 6ec9c9fb7b0d..43a499fbdc8d 100644
> --- a/drivers/gpu/drm/i915/i915_query.c
> +++ b/drivers/gpu/drm/i915/i915_query.c
> @@ -13,7 +13,7 @@
> #include <uapi/drm/i915_drm.h>
>
> static int copy_query_item(void *query_hdr, size_t query_sz,
> - u32 total_length,
> + size_t total_length,
> struct drm_i915_query_item *query_item)
> {
> if (query_item->length == 0)
> @@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
> struct drm_i915_engine_info info = { };
> unsigned int num_uabi_engines = 0;
> struct intel_engine_cs *engine;
> - int len, ret;
> + size_t len;
> + int ret;
>
> if (query_item->flags)
> return -EINVAL;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] drm/i915: prevent integer overflow in query_engine_info()
2022-09-01 15:38 [PATCH] drm/i915: prevent integer overflow in query_engine_info() Dan Carpenter
2022-09-01 17:14 ` [Intel-gfx] " Andrzej Hajda
@ 2022-09-06 9:27 ` Tvrtko Ursulin
1 sibling, 0 replies; 3+ messages in thread
From: Tvrtko Ursulin @ 2022-09-06 9:27 UTC (permalink / raw)
To: Dan Carpenter, Jani Nikula, Gustavo A. R. Silva
Cc: Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter,
Chris Wilson, intel-gfx, dri-devel, kernel-janitors
Hi Dan,
On 01/09/2022 16:38, Dan Carpenter wrote:
> This code uses struct_size() but it stores the result in an int so the
> integer overflow checks are not effective. Record the types as size_t
> to prevent the size from being truncated.
>
> Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I do not know if the integer overflow can happen. This is a hardenning
> patch just like the conversion to struct_size().
It can't since num_uabi_engines in "len = struct_size(query_ptr,
engines, num_uabi_engines);" is max double digits and sizeof(struct
drm_i915_engine_info) is 56 bytes on a glance.
Nevertheless hardening is almost always beneficial so no fundamental
complaints. Just that this patch I think leaves some parts unresolved.
Mostly that copy_query_item now can implicitly truncate in "return
total_length" and likewise query_engine_info in "return ret;".
Maybe we could add, on top of your patch, something like:
static int copy_query_item(void *query_hdr, size_t query_sz,
- u32 total_length,
+ size_t total_length,
struct drm_i915_query_item *query_item)
{
+ if (overflows_type(query_sz, query_item->length) ||
+ overflows_type(total_length, query_item->length))
+ return -ERANGE; /* ??? */
+
(query->item_length is s32 so matches the int return type.)
And change all variables holding result of copy_query_item to size_t.
Don't know, it could be it's an overkill. More opinions?
Regards,
Tvrtko
>
> drivers/gpu/drm/i915/i915_query.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
> index 6ec9c9fb7b0d..43a499fbdc8d 100644
> --- a/drivers/gpu/drm/i915/i915_query.c
> +++ b/drivers/gpu/drm/i915/i915_query.c
> @@ -13,7 +13,7 @@
> #include <uapi/drm/i915_drm.h>
>
> static int copy_query_item(void *query_hdr, size_t query_sz,
> - u32 total_length,
> + size_t total_length,
> struct drm_i915_query_item *query_item)
> {
> if (query_item->length == 0)
> @@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
> struct drm_i915_engine_info info = { };
> unsigned int num_uabi_engines = 0;
> struct intel_engine_cs *engine;
> - int len, ret;
> + size_t len;
> + int ret;
>
> if (query_item->flags)
> return -EINVAL;
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-06 9:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-01 15:38 [PATCH] drm/i915: prevent integer overflow in query_engine_info() Dan Carpenter
2022-09-01 17:14 ` [Intel-gfx] " Andrzej Hajda
2022-09-06 9:27 ` Tvrtko Ursulin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).