From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938041AbdDSU4S (ORCPT ); Wed, 19 Apr 2017 16:56:18 -0400 Received: from mail-sn1nam02on0085.outbound.protection.outlook.com ([104.47.36.85]:60239 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S938006AbdDSU4P (ORCPT ); Wed, 19 Apr 2017 16:56:15 -0400 Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=vmware.com; Date: Wed, 19 Apr 2017 13:56:06 -0700 From: Sinclair Yeh To: Vladis Dronov CC: VMware Graphics , Thomas Hellstrom , David Airlie , , Subject: Re: [PATCH v2] kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Message-ID: <20170419205606.GF69079@syeh-m02.local> References: <20170406123340.5368-1-vdronov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20170406123340.5368-1-vdronov@redhat.com> User-Agent: Mutt/1.8.2 (2017-04-18) X-Originating-IP: [2601:641:c000:eb8b:295f:f750:54b6:6a4] X-ClientProxiedBy: MWHPR1201CA0001.namprd12.prod.outlook.com (10.174.253.11) To BN6PR05MB3283.namprd05.prod.outlook.com (10.174.95.30) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b2179ec3-e3e7-4e77-cf7c-08d48766843d X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131423075)(201703031133081);SRVR:BN6PR05MB3283; X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3283;3:90nxCqs87uF+krKGvRFDNd6L/C32ZOehW93N6/F0Je0sihIHxAc2oKWnd+heupIEEWa2ABG1imvBPBhBg5NnYGUwsG1D8SPZEXbwNIMIR31/XpwY5V+p6ZKyaD/rkF1MLzsQDeYZoOK1ij4jNmxAUtpKP1HQDR4ofgjlstyshlKka1pMQU2kUBLoRM8OnbIcPwxz+IEOMlGzTPMy5gkPM6UkrCry1RoMXOLNFciySqUBHvKdCRX/pDGQ6poaOyay+SGPOE1NjTYfRZm5R4U6PJEbTLfTXjhJD8e6t+8FFwHPxAzFBSE4+c2Jn4WOWiscpMU/hhtywQxguPwRxaykCA==;25:nCQTIaVDdqnBzRsGnbJFoNhQ10yplnE+megYasr06RON4RudqPYU5eWicyMrSVmJIgHlNKQJUVpCJSRo068U+/meFHrAB8GhgYiEN8kbIbZiYBFXo1pWN2sJNYRLk+nfNvTIVFT64MQ6kul5zGAizF1cMb5Zo5v0UeHYb5/SnMn4emlGsa7Iarr9/7flOxzIwG5mbL95TeCMlm2vWBGJumNfNZTjIa/VRWsM1hWu7bSVeYFd6Hhdv+txGpxUazuvgLhGT4EAncYLPEvMKWh3CBPtnzHD83VjQZ7kl//S+S/1EJBfkCA3clGnYYGjwNqGO82dPZl49kJozo8edhmIgbIwP6/VVjZI1n79x11qgdYecoGS48b7PmYe3jWREiET44MVlF1LR58MQij7da8QJucIGelQfYNNJUivsgCRFPfz5SjWgQ2A4mFAoriH0WY2WzSUyboyaoRtt8NLh6s+IBd9sJWfgfNy+GiGCKrRZJA= X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3283;31:5nHJWiHf8opagWNj8PC1YFcqXCab0nsJ4m8ExWAAFoYC53ooNgGXmRb20yJUI7o165m9wV/02oNLywFHzLnvFtgBHtgtpBPqM5wMCWt0hKj3qFHU5aCVgMroUnrTDW+hGerYYuw9YYXb2gCKPWZmVfWF87JGSLwfgwaSiENY/8YyaclemB3XuuiByv+byIZ2OmCW+u6a1d0zEDDI598HSMHe6rLNFFSOsercCuyrUIenZhAsn/Xbd7n7I+9EsnNo;20:GFH5uS7mCUxS79vpvgs7ukC347s2zOZZ8Jd0Izl/dnaOtLiN3hT3J58Ds5PVAjh+2vb3BNJ1a7gGj3i5HSahvIWbOW4cFpg986fxWvLkeL8EGAT/ZSt99x7OaokbXzvb6PdIV5nC+JQNLeuKZAmTf82EIpmD4psCIdXNKGAO+9yqfsx3+5gL7a5ch0IuPxONvxVABujj6gO8Oy9Hxj9iw0eT0ARsuftyq+3ziXjDkwGmI67+x8ltyfR1B1GpHhwhSFIIRrpJNbgaDaW3zJhV05SQ+Tsq+L8cBd/KNigVF7manwSVFzEG1n3gyJNsJ+UMJ/6CxLKwk782HZNcf1C3D9LMaHJT338ataLsY7jLKFmpsJ1tAIXs6RnTI31hBx0+rlzkxj98LwUdn2dcBcuy8igaT/rLzI1DkU3N9AZAxAf99Bcj2ehYBTfYu8snjK6Xri38XGBnhs6Qm9ibFokSOj2GbL9kbxdtFsoeVMEe8RhzbBkEvErQ3xcdeqX0UJCT X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(61668805478150)(10436049006162); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(20161123560025)(20161123555025)(6072148);SRVR:BN6PR05MB3283;BCL:0;PCL:0;RULEID:;SRVR:BN6PR05MB3283; X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3283;4:TMLpSzk2rE6dWmkP1+JLVkuL5+2s1Jy6hH9m5Sj6Idg1DchrPozmxQYmuRMLDmBbssw+rIKge+EsB2TWV3Mqr59KRjGD/ssjI34bl/x2i9qJGgu3kmM5KoTitvGJlfX+wZeiV8NEba4QiSAfeDjx/9JAqw2Hc+irDOxlWyhrA+SF2OflC341l9qjKO0M5wZO7SAPF1N4LyqnBxqNZUmBmWvo9hnTwo3D4HSZgg3FG4RvKJfLofWxLSMOqq1SGp0q8ewUlFz7AMjnAW7HjRjl/xqbI7YV827/oEIHKNrjiqXKuavHIsqpMqp+Aggy1L0zDIDOwbpwqBV55KvCqdVUkyK4vSef96vS1Yc7sXZovqK3WHHmhVV5eNW3cPYPjoe2ofbc+pZ8yNqiHbD0zjrzjGKdApOPzLa3Px8zPiAP1BLuZ5bOKLQhqyz6eIf/9/h01QHByXKLCnMR37F4FbSBMe8d2gBhLLjZ100eb3h++E4bhZ7kOi06HIG1upS7ILNv4EngK5HR3Ws25Lz18ZIeQ+Fd0e3iptTUuw6ntgdTur476Sb8dWNG/cZmymlO0DgKwWJ/DlxcuZi798/iuiIrxdLtvPi+e2K8yljfsvEE0g77sBLfDMGE7NaeHSrG0k8wpmzOVXl0o4rFQ8/q3nDKEiYZQi5NWiPca6YHyAuFhjuTexM3qbrhaRDUi1Dw8bhL4NlVrKLHk/e+5SQLiB9MxJzIt4aefRCeHGoBmwXWDmt/9kAeMd7lOIlO5LAezO4KvvU3cAozXFazSuQHVWsNAkgfqa14W4NTPk2rBQ0IOHw= X-Forefront-PRVS: 028256169F X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(39410400002)(39450400003)(39840400002)(39860400002)(39400400002)(39850400002)(24454002)(46406003)(6666003)(6246003)(53936002)(42186005)(23726003)(7736002)(305945005)(55016002)(9686003)(54906002)(1076002)(83506001)(6306002)(6116002)(2950100002)(6916009)(229853002)(47776003)(4326008)(4001350100001)(110136004)(38730400002)(6506006)(5660300001)(50466002)(189998001)(97756001)(54356999)(33656002)(2906002)(25786009)(50986999)(575784001)(86362001)(76176999)(98436002)(81166006)(8676002)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR05MB3283;H:syeh-m02.local;FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BN6PR05MB3283;23:6Sl3IK7Mw3b6o5E6srMhXfTVc/QfJKiTWOiAv010V?= =?us-ascii?Q?mjMhcxgYGM8/3UHNLpDRqSDmlpcQZ7sUk7Skntf9lxkkQ+011ckJEVJnxpP0?= =?us-ascii?Q?R8J3wiPtpMlAkJTyZuMUOVWjfG2Y663LVGmQ6WoSOsj8sM5DcvpHITz4J5h9?= =?us-ascii?Q?Uyx+6vZXvNUfbariA65uZ7VXz76m21Z6++myR+OXUlvCR4C8WXQdV0RSYIAp?= =?us-ascii?Q?1oNKGoyQ7x5CL+pnpLhDuUcKzDfAbe7v/FnKgl541LOL8Zm1XwQ2k5eP90ZB?= =?us-ascii?Q?g2buFyK264QofnIhXDMmXAAFozd13+Dc5AMIQink7wb/yTkR4X8J8yWnGi5y?= =?us-ascii?Q?gdq6q0VxO0EgDC7hDJ1w9Cj6g6aNYl9jn8gRAcrVk9MMQ0Md0l4r1yLJNMT3?= =?us-ascii?Q?xcRI0yl7F1vJllpChMW0WxAlv2O5nRt6RwY0an3bBTPzg55w7/awfbM0c1bw?= =?us-ascii?Q?fXSHHmi8OodnCpQAEX6ZV4wkeS6jBsWTP92F4gVyEaLDaIMtWrr1twW2H4EN?= =?us-ascii?Q?l67S2J5gvu1MifzA0G2LOvPgH1iar+lr8AzvOwc00id7YjIf2jf4UVaz8fzr?= =?us-ascii?Q?jKLiI3Bqx4CLkhPiYWmhyr0kqttOieX4ZcRu8a+qruL8FjzS0I4z37VOZBcC?= =?us-ascii?Q?R2LZcD4v737DVBOTfHSJvugWB1cMMeRL40sPXzH75xFThvBqwp2Rh0nMcqxy?= =?us-ascii?Q?bOmLlZ5dIdaS1/+Gu3+H4eqNNh+2HUvM0dnDYkSZY0/QGl1gGnZqOgw3tsW7?= =?us-ascii?Q?Q5BUVpbFZooWbTE75nrmS+jQs6b8Uv4jV57Tl1G0EDyRu3Fo4wt0ZGaIRhKO?= =?us-ascii?Q?GN5rZ1DA5z7uG3vvVSDknRyPfKuXd5ITfI9Dtviky2KQkxeiPG2gCfODE/mX?= =?us-ascii?Q?JVIvxdJRCOYP2vufaVTmlPSMnAb17Ia2CMmldCfOCY5TlYBMnb5B20eMRltT?= =?us-ascii?Q?bAnol2T4pkSPB8+7p3Vzth6HBTvB6rEzUAj3eWfe0f2N/ulfRF9DaYHNFSXO?= =?us-ascii?Q?6mnI4WGpGPNMWcJqvQQmqW/ZsF0zZ6SNWkaX0l7osQBQ2mAuSgUBMKsiY5Ni?= =?us-ascii?Q?ghSGQ1rj3SJxZKsJ8WToBD5kgXp7MFsxzQ/agjaVNLKC6wyQGhsJB11yilMa?= =?us-ascii?Q?rzR6dn9F2pA/OBBGbr+P7F7C9mJAzzKjM0Eo17xzulXxtSrcRA4KtuZclT1U?= =?us-ascii?Q?uls3IT9vk8VS6ZU4L8teFPmuJ47YOQHu0UdSPBvqQUzumU5oya24it8qA=3D?= =?us-ascii?Q?=3D?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3283;6:YvphYUGG1KCdCAFjUm7XBbn8o8VFK0gDYEpQCRczaegXymomY4y/uRUDEa4BKWwcwJHRnGlH9qxpp59cEjTK/FJfN14qLK5HftkvxvshvtlvHNOvUs+3+bFQYxVQr5PJazJ3lXoN4Gn0g+JpkBQKRd1rQvdchsZ/SsIEAgz7TeaYY/BYr2kJh/ZoURq4osWHSchALL0kC+AWhUh/bH4EgNCxxmFyt2mDMhoY8MbRDA/6tmgU8KydW7/0CcywUmjLo6iHSwlruYsFjUDAguQXces5M+tw7pXkE2do/h8/hngAxATv95iZN29v/kD2AUANoJxqnl+2oH2PSHB0RkkyR8tiL/QU+deyT+TZc8eA1DgernnW1mZM6GxiLaO4Y9d3vIaCwBbzLjayp9823dpcai8YsRFIg9Rf9xyiCHYVBzGzEh9cmt8F3+imyqdKnsXGBvYWxkpZ+mrICsJLWibfMXTOK9kHZ1skj9d1S3quXY0KzaWc+AjQ9E7S+paaCvRizhnVNefa8KFGPq1snt2SuA==;5:Hz0veQ0bYotgRtj6tNC0tzw12eiLHcOhM/QWbwv/mr1sQEvEW4UE6luKeN1totwHjcSM7hh8Cok9yxoZoy1ZCU7DSb+ynvA7H3g7OeGJ15C/d+eu25h8fmFV7k9ae9LiqGVc02DT/ThntEdUH9Xu/w==;24:2HHKAoMfHYaz/6jJOiSO/DD3xJ486TTk9h8iLD3y1AjafkHRe2owUC3INvWDP/iQf3yVtvzaPP7jOWOFaI+FsOnNo1XloU8z8ZWycRAULa8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3283;7:ekTmNLgM/CQO+c3BB8bSrRgYzIe/szeoiNZa2SXc10dldI3NCWtOJZq4ZdqYND0lSkSeIACmo9MefvK61aijnBcyXqQNcMgAPa/tFiW2oBV7t7GAB2Xf+BfIH852SbqOx30lMVdnzgsGQDvnlZZayXn/NO9129HulAwYRogSUF5WXeZEVD0fR6iI03j+TVw8m9lhtGitePXujftS/HtEbnj3DckDOVa65yXVqkZ2LCCqW3baYVg2NQhXix2drCHwS9dYkqzd2KORURmJHdH/cnA0BF0eQmKvfqzUnOZKQcAU9bCL3mBezMA8ViqUN/GQhZkLKjKMyTpQxnbxt5sooA==;20:/Q5idp0TsSCsU3As0x2bbZyt9yu2miK8HmbHXdWXzlLJURmB/soPdeLCLgK8xcbPERoqCvgQTcVFaRkVY0hZchsZfWq0LMeGSTMG8bIECy0nqmEkMJn6ofhO56Jxwwix0C3rFefuEedTVnyYy2K3yKxztmteXVU4633di/pJj7g= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Apr 2017 20:56:13.0827 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3283 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks Vladis! Reviewed-by: Sinclair Yeh On Thu, Apr 06, 2017 at 02:33:40PM +0200, Vladis Dronov wrote: > The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is > a user-controlled 'uint32_t' value which is used as a loop count limit. > This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. > > References: > https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1437431&d=DwIBAg&c=uilaK90D4TOVoH58JNXRgQ&r=HaJ2a6NYExoV0cntAYcoqA&m=D9ZabTkAbhTqB-puuJ1a4SnWKUIGw0oXestkhJG6dCQ&s=6PZxBQ8MQjy-uc5pd6vyZg3D5yrG0jlSPi5pPE0oFK4&e= > Signed-off-by: Vladis Dronov > --- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > index b445ce9..e0d7ff9 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > @@ -1281,6 +1281,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, > if (req->multisample_count != 0) > return -EINVAL; > > + if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) > + return -EINVAL; > + > if (unlikely(vmw_user_surface_size == 0)) > vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + > 128; > -- > 2.9.3 >