* [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
@ 2011-11-23 6:12 Xi Wang
2011-12-14 13:16 ` Eugene Teo
0 siblings, 1 reply; 4+ messages in thread
From: Xi Wang @ 2011-11-23 6:12 UTC (permalink / raw)
To: David Airlie; +Cc: dri-devel, linux-kernel, security
There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips. The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.
Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
---
drivers/gpu/drm/drm_crtc.c | 4 ++++
include/drm/drm_mode.h | 2 ++
2 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 405c63b..8323fc3 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1873,6 +1873,10 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
}
if (num_clips && clips_ptr) {
+ if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
+ ret = -EINVAL;
+ goto out_err1;
+ }
clips = kzalloc(num_clips * sizeof(*clips), GFP_KERNEL);
if (!clips) {
ret = -ENOMEM;
diff --git a/include/drm/drm_mode.h b/include/drm/drm_mode.h
index d30bedf..ddd46db 100644
--- a/include/drm/drm_mode.h
+++ b/include/drm/drm_mode.h
@@ -235,6 +235,8 @@ struct drm_mode_fb_cmd {
#define DRM_MODE_FB_DIRTY_ANNOTATE_FILL 0x02
#define DRM_MODE_FB_DIRTY_FLAGS 0x03
+#define DRM_MODE_FB_DIRTY_MAX_CLIPS 256
+
/*
* Mark a region of a framebuffer as dirty.
*
--
1.7.5.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
2011-11-23 6:12 [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl() Xi Wang
@ 2011-12-14 13:16 ` Eugene Teo
2011-12-14 13:34 ` David Airlie
0 siblings, 1 reply; 4+ messages in thread
From: Eugene Teo @ 2011-12-14 13:16 UTC (permalink / raw)
To: Xi Wang; +Cc: David Airlie, dri-devel, linux-kernel, security, Dave Airlie
Cc'ed Dave's work email.
On Wed, Nov 23, 2011 at 2:12 PM, Xi Wang <xi.wang@gmail.com> wrote:
> There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
> if userspace passes in a large num_clips. The call to kmalloc would
> allocate a small buffer, and the call to fb->funcs->dirty may result
> in a memory corruption.
>
> Reported-by: Haogang Chen <haogangchen@gmail.com>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> ---
> drivers/gpu/drm/drm_crtc.c | 4 ++++
> include/drm/drm_mode.h | 2 ++
> 2 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
> index 405c63b..8323fc3 100644
> --- a/drivers/gpu/drm/drm_crtc.c
> +++ b/drivers/gpu/drm/drm_crtc.c
> @@ -1873,6 +1873,10 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
> }
>
> if (num_clips && clips_ptr) {
> + if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
> + ret = -EINVAL;
> + goto out_err1;
> + }
> clips = kzalloc(num_clips * sizeof(*clips), GFP_KERNEL);
> if (!clips) {
> ret = -ENOMEM;
> diff --git a/include/drm/drm_mode.h b/include/drm/drm_mode.h
> index d30bedf..ddd46db 100644
> --- a/include/drm/drm_mode.h
> +++ b/include/drm/drm_mode.h
> @@ -235,6 +235,8 @@ struct drm_mode_fb_cmd {
> #define DRM_MODE_FB_DIRTY_ANNOTATE_FILL 0x02
> #define DRM_MODE_FB_DIRTY_FLAGS 0x03
>
> +#define DRM_MODE_FB_DIRTY_MAX_CLIPS 256
> +
> /*
> * Mark a region of a framebuffer as dirty.
> *
> --
> 1.7.5.4
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
2011-12-14 13:16 ` Eugene Teo
@ 2011-12-14 13:34 ` David Airlie
2011-12-14 17:14 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: David Airlie @ 2011-12-14 13:34 UTC (permalink / raw)
To: Eugene Teo; +Cc: David Airlie, dri-devel, linux-kernel, security, Xi Wang
----- Original Message -----
> From: "Eugene Teo" <eugeneteo@kernel.sg>
> To: "Xi Wang" <xi.wang@gmail.com>
> Cc: "David Airlie" <airlied@linux.ie>, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
> security@kernel.org, "Dave Airlie" <airlied@redhat.com>
> Sent: Wednesday, 14 December, 2011 1:16:49 PM
> Subject: Re: [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
>
> Cc'ed Dave's work email.
This is already in Linus tree, went there a while ago.
a5cd335165e31db9dbab636fd29895d41da55dd2
Dave.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
2011-12-14 13:34 ` David Airlie
@ 2011-12-14 17:14 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2011-12-14 17:14 UTC (permalink / raw)
To: David Airlie
Cc: Eugene Teo, David Airlie, dri-devel, linux-kernel, security, Xi Wang
On Wed, Dec 14, 2011 at 08:34:29AM -0500, David Airlie wrote:
>
> ----- Original Message -----
> > From: "Eugene Teo" <eugeneteo@kernel.sg>
> > To: "Xi Wang" <xi.wang@gmail.com>
> > Cc: "David Airlie" <airlied@linux.ie>, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
> > security@kernel.org, "Dave Airlie" <airlied@redhat.com>
> > Sent: Wednesday, 14 December, 2011 1:16:49 PM
> > Subject: Re: [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl()
> >
> > Cc'ed Dave's work email.
>
> This is already in Linus tree, went there a while ago.
>
> a5cd335165e31db9dbab636fd29895d41da55dd2
And it was in the 3.0.13 and 3.1.5 kernel releases.
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-12-14 17:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-11-23 6:12 [PATCH] drm: integer overflow in drm_mode_dirtyfb_ioctl() Xi Wang
2011-12-14 13:16 ` Eugene Teo
2011-12-14 13:34 ` David Airlie
2011-12-14 17:14 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).