From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Peter Robinson <pbrobinson@gmail.com>,
Javier Martinez Canillas <javierm@redhat.com>,
Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
dri-devel@lists.freedesktop.org
Subject: [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field()
Date: Fri, 1 Jul 2022 14:07:54 +0200 [thread overview]
Message-ID: <20220701120755.2135100-2-javierm@redhat.com> (raw)
In-Reply-To: <20220701120755.2135100-1-javierm@redhat.com>
The strlen() function returns a size_t which is an unsigned int on 32-bit
arches and an unsigned long on 64-bit arches. But in the drm_copy_field()
function, the strlen() return value is assigned to an 'int len' variable.
Later, the len variable is passed as copy_from_user() third argument that
is an unsigned long parameter as well.
In theory, this can lead to an integer overflow via type conversion. Since
the assignment happens to a signed int lvalue instead of a size_t lvalue.
In practice though, that's unlikely since the values copied are set by DRM
drivers and not controlled by userspace. But using a size_t for len is the
correct thing to do anyways.
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
drivers/gpu/drm/drm_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 8faad23dc1d8..e1b9a03e619c 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op);
*/
static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
{
- int len;
+ size_t len;
/* don't overflow userbuf */
len = strlen(value);
--
2.36.1
WARNING: multiple messages have this Message-ID (diff)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@linux.ie>,
dri-devel@lists.freedesktop.org,
Javier Martinez Canillas <javierm@redhat.com>,
Peter Robinson <pbrobinson@gmail.com>
Subject: [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field()
Date: Fri, 1 Jul 2022 14:07:54 +0200 [thread overview]
Message-ID: <20220701120755.2135100-2-javierm@redhat.com> (raw)
In-Reply-To: <20220701120755.2135100-1-javierm@redhat.com>
The strlen() function returns a size_t which is an unsigned int on 32-bit
arches and an unsigned long on 64-bit arches. But in the drm_copy_field()
function, the strlen() return value is assigned to an 'int len' variable.
Later, the len variable is passed as copy_from_user() third argument that
is an unsigned long parameter as well.
In theory, this can lead to an integer overflow via type conversion. Since
the assignment happens to a signed int lvalue instead of a size_t lvalue.
In practice though, that's unlikely since the values copied are set by DRM
drivers and not controlled by userspace. But using a size_t for len is the
correct thing to do anyways.
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
drivers/gpu/drm/drm_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 8faad23dc1d8..e1b9a03e619c 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op);
*/
static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
{
- int len;
+ size_t len;
/* don't overflow userbuf */
len = strlen(value);
--
2.36.1
next prev parent reply other threads:[~2022-07-01 12:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-01 12:07 [PATCH 0/2] drm: A couple of fixes for drm_copy_field() helper function Javier Martinez Canillas
2022-07-01 12:07 ` Javier Martinez Canillas
2022-07-01 12:07 ` Javier Martinez Canillas [this message]
2022-07-01 12:07 ` [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field() Javier Martinez Canillas
2022-07-04 12:27 ` Thomas Zimmermann
2022-07-04 12:27 ` Thomas Zimmermann
2022-07-01 12:07 ` [PATCH 2/2] drm: Prevent drm_copy_field() to attempt copying a NULL pointer Javier Martinez Canillas
2022-07-01 12:07 ` Javier Martinez Canillas
2022-07-04 12:30 ` Thomas Zimmermann
2022-07-04 12:30 ` Thomas Zimmermann
2022-07-04 12:36 ` Javier Martinez Canillas
2022-07-04 12:36 ` Javier Martinez Canillas
2022-07-04 12:55 ` Javier Martinez Canillas
2022-07-04 12:55 ` Javier Martinez Canillas
2022-07-04 14:28 ` Thomas Zimmermann
2022-07-04 14:28 ` Thomas Zimmermann
2022-07-01 17:47 ` [PATCH 0/2] drm: A couple of fixes for drm_copy_field() helper function Peter Robinson
2022-07-01 17:47 ` Peter Robinson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220701120755.2135100-2-javierm@redhat.com \
--to=javierm@redhat.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=pbrobinson@gmail.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.