From: Javier Martinez Canillas <javierm@redhat.com> To: linux-kernel@vger.kernel.org Cc: Peter Robinson <pbrobinson@gmail.com>, Javier Martinez Canillas <javierm@redhat.com>, Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>, Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>, dri-devel@lists.freedesktop.org Subject: [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field() Date: Fri, 1 Jul 2022 14:07:54 +0200 [thread overview] Message-ID: <20220701120755.2135100-2-javierm@redhat.com> (raw) In-Reply-To: <20220701120755.2135100-1-javierm@redhat.com> The strlen() function returns a size_t which is an unsigned int on 32-bit arches and an unsigned long on 64-bit arches. But in the drm_copy_field() function, the strlen() return value is assigned to an 'int len' variable. Later, the len variable is passed as copy_from_user() third argument that is an unsigned long parameter as well. In theory, this can lead to an integer overflow via type conversion. Since the assignment happens to a signed int lvalue instead of a size_t lvalue. In practice though, that's unlikely since the values copied are set by DRM drivers and not controlled by userspace. But using a size_t for len is the correct thing to do anyways. Reported-by: Peter Robinson <pbrobinson@gmail.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> --- drivers/gpu/drm/drm_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 8faad23dc1d8..e1b9a03e619c 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op); */ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) { - int len; + size_t len; /* don't overflow userbuf */ len = strlen(value); -- 2.36.1
WARNING: multiple messages have this Message-ID (diff)
From: Javier Martinez Canillas <javierm@redhat.com> To: linux-kernel@vger.kernel.org Cc: Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@linux.ie>, dri-devel@lists.freedesktop.org, Javier Martinez Canillas <javierm@redhat.com>, Peter Robinson <pbrobinson@gmail.com> Subject: [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field() Date: Fri, 1 Jul 2022 14:07:54 +0200 [thread overview] Message-ID: <20220701120755.2135100-2-javierm@redhat.com> (raw) In-Reply-To: <20220701120755.2135100-1-javierm@redhat.com> The strlen() function returns a size_t which is an unsigned int on 32-bit arches and an unsigned long on 64-bit arches. But in the drm_copy_field() function, the strlen() return value is assigned to an 'int len' variable. Later, the len variable is passed as copy_from_user() third argument that is an unsigned long parameter as well. In theory, this can lead to an integer overflow via type conversion. Since the assignment happens to a signed int lvalue instead of a size_t lvalue. In practice though, that's unlikely since the values copied are set by DRM drivers and not controlled by userspace. But using a size_t for len is the correct thing to do anyways. Reported-by: Peter Robinson <pbrobinson@gmail.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> --- drivers/gpu/drm/drm_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 8faad23dc1d8..e1b9a03e619c 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op); */ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) { - int len; + size_t len; /* don't overflow userbuf */ len = strlen(value); -- 2.36.1
next prev parent reply other threads:[~2022-07-01 12:08 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-07-01 12:07 [PATCH 0/2] drm: A couple of fixes for drm_copy_field() helper function Javier Martinez Canillas 2022-07-01 12:07 ` Javier Martinez Canillas 2022-07-01 12:07 ` Javier Martinez Canillas [this message] 2022-07-01 12:07 ` [PATCH 1/2] drm: Use size_t type for len variable in drm_copy_field() Javier Martinez Canillas 2022-07-04 12:27 ` Thomas Zimmermann 2022-07-04 12:27 ` Thomas Zimmermann 2022-07-01 12:07 ` [PATCH 2/2] drm: Prevent drm_copy_field() to attempt copying a NULL pointer Javier Martinez Canillas 2022-07-01 12:07 ` Javier Martinez Canillas 2022-07-04 12:30 ` Thomas Zimmermann 2022-07-04 12:30 ` Thomas Zimmermann 2022-07-04 12:36 ` Javier Martinez Canillas 2022-07-04 12:36 ` Javier Martinez Canillas 2022-07-04 12:55 ` Javier Martinez Canillas 2022-07-04 12:55 ` Javier Martinez Canillas 2022-07-04 14:28 ` Thomas Zimmermann 2022-07-04 14:28 ` Thomas Zimmermann 2022-07-01 17:47 ` [PATCH 0/2] drm: A couple of fixes for drm_copy_field() helper function Peter Robinson 2022-07-01 17:47 ` Peter Robinson
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220701120755.2135100-2-javierm@redhat.com \ --to=javierm@redhat.com \ --cc=airlied@linux.ie \ --cc=daniel@ffwll.ch \ --cc=dri-devel@lists.freedesktop.org \ --cc=linux-kernel@vger.kernel.org \ --cc=maarten.lankhorst@linux.intel.com \ --cc=mripard@kernel.org \ --cc=pbrobinson@gmail.com \ --cc=tzimmermann@suse.de \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.