From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=8yH2=Z3=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EC939C43603
	for <linux-mm@archiver.kernel.org>; Thu,  5 Dec 2019 00:52:39 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B1DAE21823
	for <linux-mm@archiver.kernel.org>; Thu,  5 Dec 2019 00:52:39 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="C5sI/yOj"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1DAE21823
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 63B976B0DD0; Wed,  4 Dec 2019 19:52:39 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5EB966B0DD2; Wed,  4 Dec 2019 19:52:39 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4DF636B0DD3; Wed,  4 Dec 2019 19:52:39 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0199.hostedemail.com [216.40.44.199])
	by kanga.kvack.org (Postfix) with ESMTP id 2CB176B0DD0
	for <linux-mm@kvack.org>; Wed,  4 Dec 2019 19:52:39 -0500 (EST)
Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with SMTP id 092E5181AEF30
	for <linux-mm@kvack.org>; Thu,  5 Dec 2019 00:52:39 +0000 (UTC)
X-FDA: 76229262396.12.fact78_171b436723809
X-HE-Tag: fact78_171b436723809
X-Filterd-Recvd-Size: 2836
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf30.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu,  5 Dec 2019 00:52:38 +0000 (UTC)
Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id BE79824652;
	Thu,  5 Dec 2019 00:52:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1575507158;
	bh=eQQYYkQrvlithT6FDAMRSFyEbp3WmYg3lsizwmqbMUs=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=C5sI/yOjbPLFT3YKBirN4c9iluQZD4ET5vXmdNBhrUbGIdrguTd4YN2XF5gZWr3t4
	 UAbTNT5uipTubcoj87SE1o6iJ62rZ2ttL0d//1MXfVh08ulQ4HCVkGgox3C4vdjP5E
	 7OWC4Szo6qPQS/1btAKmJ6tWMqW/0t/Tl9Pp9zls=
Date: Wed, 04 Dec 2019 16:52:37 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, daniel.vetter@ffwll.ch,
 daniel.vetter@intel.com, keescook@chromium.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, sfr@canb.auug.org.au,
 torvalds@linux-foundation.org, viro@zeniv.linux.org.uk
Subject:  [patch 54/86] drm: limit to INT_MAX in create_blob ioctl
Message-ID: <20191205005237.MG9qvjrSF%akpm@linux-foundation.org>
In-Reply-To: <20191204164858.fe4ed8886e34ad9f3b34ea00@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: drm: limit to INT_MAX in create_blob ioctl

The hardened usercpy code is too paranoid ever since:

commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Nov 6 16:07:01 2019 +1100

    uaccess: disallow > INT_MAX copy sizes

Code itself should have been fine as-is.

Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/gpu/drm/drm_property.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_property.c~drm-limit-to-int_max-in-create_blob-ioctl
+++ a/drivers/gpu/drm/drm_property.c
@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_devi
 	struct drm_property_blob *blob;
 	int ret;
 
-	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
+	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
 	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
_