From patchwork Wed Jun 7 13:24:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Hellstrom X-Patchwork-Id: 9771523 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 930C860350 for ; Wed, 7 Jun 2017 13:40:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8313A27F85 for ; Wed, 7 Jun 2017 13:40:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 73F2A283BE; Wed, 7 Jun 2017 13:40:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAD_ENC_HEADER,BAYES_00, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0492027F85 for ; Wed, 7 Jun 2017 13:40:03 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 6160D6E230; Wed, 7 Jun 2017 13:40:02 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0041.outbound.protection.outlook.com [104.47.34.41]) by gabe.freedesktop.org (Postfix) with ESMTPS id 9A3666E230 for ; Wed, 7 Jun 2017 13:40:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onevmw.onmicrosoft.com; s=selector1-vmware-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JoC2Yytb51YeiPNbTX8ftB6FRtMB8xdVmC+9eqXikvg=; b=jVCYpe3RZbuTsLyx/+WY8K9no4PNi0hA0mSI25VlES3Lw0PD02NX6bs+z9ubBLAEwlRAytPGcWe9wDU85m3kwT7Mjh8T627WnOw+VYnWO1nWeaoe84WDAdY0unVB27CTNzyJwRABB4wpf/BwsMUI1Az+l4Mhy4vH0Lwm28ukCAU= Authentication-Results: lists.freedesktop.org; dkim=none (message not signed) header.d=none; lists.freedesktop.org; dmarc=none action=none header.from=vmware.com; Received: from ubuntu.localdomain (155.4.205.56) by BLUPR05MB753.namprd05.prod.outlook.com (10.141.208.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1157.3; Wed, 7 Jun 2017 13:24:55 +0000 From: Thomas Hellstrom To: dri-devel@lists.freedesktop.org Subject: [PATCH -fixes 1/9] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Date: Wed, 7 Jun 2017 15:24:17 +0200 Message-Id: <1496841865-2349-1-git-send-email-thellstrom@vmware.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [155.4.205.56] X-ClientProxiedBy: BN6PR16CA0019.namprd16.prod.outlook.com (10.172.212.157) To BLUPR05MB753.namprd05.prod.outlook.com (10.141.208.140) X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BLUPR05MB753: X-MS-Office365-Filtering-Correlation-Id: 3a163074-df40-44c4-7b09-08d4ada896fc X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(201703131423075)(201703031133081); SRVR:BLUPR05MB753; X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB753; 3:XvGXbaRe1wTXvrdpjljs4OA1FTWpZXRA2Ncb1GjIPrXxaQk/Ls4ll3kL9JYCyL3uWpbs5XGeJbLt6q3BLCcNwVPSubIstIMDMkjp2T9f/CvIlDHzs3GeBc4lRiR9AbOz364a4wNUZEQ6GWa53ojvv0mBoT1Jl+8CHz5EA17BNUlKujX10lc+pCke9Zi9cRIeaPE0NUEah0clFPO1VQ0+9Q8ZnB4OXATHrjRH8qNV30pZaOpC6ZOnQSSzj1h+EUP6OSI1u9AEOddlfMn9OpiFRbMxiwRquaesGcjYYZszij0/g3+UKJBG+RvNyMxM9L6t5u/5oWmMSrgbsCNhk/X/Yw==; 25:qLVacv5dZFuLVXZ9a5WAQ7k6ypa8pGqNWdko+zJfrYKxzi+eJfhUtf3JA3kiWAjN/q6OfqHjgpsy70YGJZs6IVkCu+MLi5tsuSBGZv+fia9EZ9msu3a57VHIcHrbzLUgursSPHRrqxd60eBOreTIHnUO5VnwjZyZVp81dK8Y7ehcW/eYY3CNrlDLvxjvwDszwjnJ1UVQEjedb543N51mg0cG8P8nv42TiYN5J8z+sSJvPAx0Deb3sZ/Fp7RtVSfT3yqJlBLbedQeeHtfL4YPhe4SdIKuGtjnW7Wv/YJB0krxsmhX0JJtZDs1TcVjhNES6SmAaUi8rPEqlZAubB8oV2V5nI4yQ/7qY704Nvk9l05DhxGgZ2QLf+GmTO8fY0VdYIMVESz/E4mZZIo4XQdFnRu3NvCivd2CAC25aioehjPrCbnSlIus8P631pFGwnrCz+BBfdL5nLVjbqd5zSll8R9BpTPIJ2yC3FsV8cuxyr0= X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB753; 31:94P5d01kyXfxl5RuL/FnN3QUkUdVpMxvBR1d2Bw83GJia5ctwYh11BnOxZ2fKFOsiRNV2de15jpFwJmHS6RJ3m2VeXp1frnm67zAW3dn1+Xom209++G7ASfmerS6Mgb6ZlmRX+um2NJjwrpEErKjPixX0GsriNElKxoWxI+Bd/yf2rftxL0aO+V1KIc1mK5Y6cjl3NqYms7aOV5sz/Bk0brbxwK90/IzO8b8up3WJXbBT1n7olVONmDy47ONilzg+AgTym7qnvZvPFVWhnlQ1A==; 20:iVGF33HFbDELkI7CwIs+vQZrSyP+YHQuvGbKqjmEeBuF1zYH2QP6r2MRX8Xr45GN2FlB/oormViKgD165/yzCkM353J1G6SQy0f8+NgclhUsRVrhEaM7e+t7dwLTtj0arZQaSS0+5YHv4g54z3VMbSlTeg2C8RmgqcOBYnWglTzIcryp4hNyycxsm5ahzYK8PGNrh/kW5WAoEF9zce2a9zQgkS73mckpNbnr322CRsIRx3eQmIraNT7eIIttbsJdscawKH/RS4hMe9TB1L/rTlnXJ1i0TraXEpEzaqz1DiGIyn/xBI2Cbe9t8Q5AevCFJ2WaCV4EWIvb8AsVgqT1vER1eqUXZrOkD/cZ+UVYa7A1GuLFLWGR9jhCrvx8G1lM1/OVxKQJNVoQQZqp5nz3KwAg2CRxlxmaIszOD41I4bGeouaQEGflxaxBOXa7QvySXblKS8dEfed+QMtm8PY4+SrRretX98kqyBvVQQH95CJXszPkV+FL8XVNBTXkd3ee X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(61668805478150)(9452136761055)(83566789882024); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123558100)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BLUPR05MB753; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BLUPR05MB753; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BLUPR05MB753; 4:mN0jjKMolTDgb9DPVkvewrZET7+VMpbUZCm/XyOptNu?= =?us-ascii?Q?3bShW5CH6qlJaLAu6MhJtH1qoCVEllOKBIiyXzjrySjn5MfJmyj0k0VL16pG?= =?us-ascii?Q?QYuehEc/JfQBLV559B87eIbuX0AJ3BfAQwH3DSyn4vCJkwWtbb+RKPhtN7e8?= =?us-ascii?Q?YiITxEo7QSRNSLIil37acpM9l/4hNApVMYzJ8g8j2GAUKja6rrFeMQT6oe3R?= =?us-ascii?Q?IsiA2opHMQERHg7LrLPf+mxklDVDS/+hXHEuknhoJou3MtcDx8oXt9weXmTO?= =?us-ascii?Q?WjMkY9stesi2xH1Xk9Zr/p2Wo6z6FRgu+ER8Qmjlf+UN4mFdRkqyZDbxSPRY?= =?us-ascii?Q?GXnoGY2k6qY9rmUTOk8Aw3V8jfFC4myFwBPTtzhbmrrV1WRglaPX7xiH9HW+?= =?us-ascii?Q?qPQ5nXHhAMZ0z+zZEEzZ5pCMevkLRKv1AXk8MSk/iYuU8sITrdZxtyPED1xp?= =?us-ascii?Q?nN5d4YpsoTAlMt5hMAT3cmK0Y9b5ifa+bO5WKSZQCkBPWyHzZXCfE80he3Nv?= =?us-ascii?Q?LCgTOfFiCApC8uXYcwWwzM9zT7D4/NdEldrYvbTdhG7e/IT4hqdRTHusPreI?= =?us-ascii?Q?+f5nlkT/aYynE2y52FWaQniY83dzcqsrQ4vqtt/pWjyqvFFAAoz7hRkFXRfD?= =?us-ascii?Q?qr7SRGxFfnfoOPQB7esDsZXr1dJ0cz7FJj0cmop9F+Jpv+QQFI6j97ECnqWf?= =?us-ascii?Q?aVu9C3gJ4+muS+OuTupnthQvwSeV+y03xlSGR8Cs/0V7B7vJdFtWdPufnHR6?= =?us-ascii?Q?NZcNhPXedbRs1uYHn/S7v3uAlzju4zBRHQx4hTD0IRKbpnML9us+Ck6Ts/8h?= =?us-ascii?Q?uOKApGc+rM7AxwFC1P1n7Rq1OZV0bZCPCxutf9ZHx3gtFjSNipe4pE1lo6bl?= =?us-ascii?Q?pObCievM7BRajcemFVG/MCDBhokBK/1w3zdHecB+mgvBy3nwX3L5Kc6qhxUv?= =?us-ascii?Q?Ckw238fGsw0HzqSJhgT9/0zr9jMb0oiiOqDGwgDZLR5AG4WbjmvEfIHQbFOP?= =?us-ascii?Q?UpNdTfZVCxNjEyNbdedwZiH98POrQmiUImrzJbe64Rm9q+HPQZemRU4jynJg?= =?us-ascii?Q?J+ORZR3KCNs6t2uwC1EG7ijpv7PA936UNRNEi0rwVCNr4gHBDpKeJKxx4f++?= =?us-ascii?Q?bmnrNHE1t3hU/e/CJ0M0iQvEiiqx7bmHn84ETxRtbmO6Al4xhKRjUBgBy+Vj?= =?us-ascii?Q?6d+ZLRfSZNOtzDBOFJfIvpZz2N7Iao9uH3FZ35a/dfuZd0s0AULeKC5e+4dF?= =?us-ascii?Q?QNWNISqNt/4eeHLA=3D?= X-Forefront-PRVS: 03319F6FEF X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(39410400002)(39400400002)(39450400003)(39850400002)(38730400002)(110136004)(2906002)(305945005)(47776003)(86362001)(66066001)(5660300001)(3846002)(6666003)(50986999)(5003940100001)(81166006)(6916009)(6116002)(478600001)(7736002)(966005)(50226002)(6506006)(2361001)(33646002)(6486002)(6512007)(6306002)(25786009)(42186005)(189998001)(2351001)(4326008)(50466002)(48376002)(53936002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR05MB753; H:ubuntu.localdomain; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BLUPR05MB753; 23:D6PfCzRwmovR11gwchugxezk9OJ0xoI53PCRdS08KS?= =?us-ascii?Q?yQsJsmjxllJ1arq+7B+v1aRteIH4V2i+DPVF7QzjPXD1Wq6TKUHOCQp73BW+?= =?us-ascii?Q?E4+hsxnyBphJEA5TnsB0/Z+99jYO6twquKXpc/5RMiIzoIYudrUCN2PPklDg?= =?us-ascii?Q?d4IMU26Ndly4w+VDsgjRm4OVYMAIKo2X+inK59Tn8t9RgFrINWeCzzm2+Z3U?= =?us-ascii?Q?5djEOZc+5Kkk0CHnpCJYfmROLevtasWWTv94q6QBqmz4O0Eu22AKm7z3/wey?= =?us-ascii?Q?xLPAVxrBBvtM02YiMzFWy3auEmus+axk3AU07Jd+e92guA/NW39gTxKIr1L1?= =?us-ascii?Q?6ojleqVErI+BJN3HEijrg/1yoK7JunXYI3KqTiTkyi5LAyRGkZ2c6eso7rGp?= =?us-ascii?Q?ICZNuay/AguKwgipwY9VGpfl2KKEbs2dwSX71D8mFH1oGUkOmfYMnx1M8ucw?= =?us-ascii?Q?QHqT50wu0t6F2CiTKgfV4eMLlXa1kY7suzzkfw1vzfQ9A/sMiGfKJp3qtfVr?= =?us-ascii?Q?ZTMCDpCBEHRZ3UObLeZGvGFuv+5O6IzZUhV7PTafNxQcYzPsTJJDZt2HNShT?= =?us-ascii?Q?El7Y9M+PQPjqBRXZS5aWH60D0UvA9wD/PUz6Lt+qPA+NLHlyIK+OkpvcwZSE?= =?us-ascii?Q?XSuFw8Yz/Re6F8XvaivceMdSJAjrP8/A41bch8ARJBq9GLwtmu9SBxDORcMK?= =?us-ascii?Q?rkZRCEWUayoAZeFfT7tvsxHPBQIS4bQYJHyCCUouVM1sauuGa1yP2nFYP3Eh?= =?us-ascii?Q?Lhxktf+TzXaAqRde+g71tr4spy+HWf2n90iMVLkyqa1Pt2EhacbhQuy8+1c9?= =?us-ascii?Q?qN+E6LJbbBYsDDQe0q5PGu5chDg38E7nz92TGgvqLONLR68v+i/wtpO7UPd0?= =?us-ascii?Q?UFhuPD6Fi5souTXP/SLa2ZocBYbD9ZiWbcvu8npMOA4/2kQOcBHuUgcwmgMF?= =?us-ascii?Q?OReOh+PfTo+vKY/JH+nkx+38p8+CQblsfJiXtogFRebS5S+5/jTX1MKJiJqH?= =?us-ascii?Q?Bib8maUMsF+G20BvyO/2+c?= X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB753; 6:1blRUv/OsohvvxQcC50gjChbCiOjS2cpklc25uOgZ8Y3wzXtW3Hijf19rLHgNC1mYOthJSFPEjyRaut6a7tmxBbStaachB5iT2Gnwor99gWYmobhnNISoPB/X4UWaNBDWmihKzp/0zbudNkJnM7mvpYPYYGTgWyOTWyYS5pz7R5HXNkVuUb2fEyZyb0mwO/GlkNdvahEYfXD9UusAWgcCz/NTZGlFXAfmsP22NRwJcjKf9MA7hbKp12gA7z5jbs6LF0uB4/mFGP6WPkxBr3uv5pKzKxY2tnIKqFbXvGLQ2/MUIVyArcGVNOGUmQYsKVACxlRTcX/+DvQFQdT9IE8CYSUCTvDm0vhYp1ZmE3XaECfHg5wPlWRFeA1XBMcUyGUw+ykuVNoON9jrfttCzPn0m8/IbSxqgfs7+RS3I+J1q731nVc00ZH7RQmzdG1acBv7iy2rtOQoF0zSk6q8Xi0kfbZp8n7DwZ4O+QZDfK3DpPsfhvLTyvCL8Jt1LlG/S6+qJ19jqMsZl+/buxQibypaQ== X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB753; 5:/9BYA9bPpFEFvI2mN+WeT2xdWtNGUoYUz7EJAEjhQXROSYBaWZ15ACoRWIfw7Ix+RHvPy1zC5g3I8bVrTlHiIbhc7kdPPAkTLDpY9zM1UntWAgTMN2uu1MpYdabtdJDuInpPj7xEDgxR9MzdZTl0kGHwtwNOF9fzi/9dxwJu1zBV/4BGI6WnnLGkm4/jral5ZIyzrPJJN0naEcIY6RRqELHZDAYwbSGuYMMpFx8SLwDC2MVg9uMRZRZnWenOHXi6IU8ubMQo1sk9Igeq+BpDCnAex7rMs1oFAXr2MX01N8TaQG9v7/VGH0+F6uKdkKwZDDJB26rQO/6B07ke7T2gMEYOKrR7RfzAkNafN32dbdzJluiUQmnluv6KmoC+qbvKsWt04H/CAfPIVGth6oRB3cCf3D8UwfkrPoCKs0PTd9C8aJXJgbMIXLtucg1Dc4cNrRb4PTjpE35BghNw01AR1+Xipv0KPMnDItbDqKUiBeUdG6Sx1Kh/P4n/nOmCIQXt; 24:evzylZuJP7oUnCr3SiAKU2YDC/AX5ZteTw1ytFpI5wSN8hD0XOikngD0VccqgxNpKnl0TqQSwoHnZH99R0Bd8yAM8rQX5q40H1qGofLxEZk= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BLUPR05MB753; 7:basKu1DbqdQaP7YCa3UOVg2JrsEQVjoe8pTJJ8QeHeJOmdYto3sjosp4Ld9IGBmV3pTUbagVLtfmTuzk+ku23I4rE015paYrcq7oKVG2MVu5h2+HqboXx0bZuIBUe7d47ox0Z2Qni9efSNDxWWXc16f0ISK9g1yIAbO6IIh6uxxp9dwHgJJ1wuOLVehVI5wzqHjQXLzVmiVcoz9VCH4QYAvjrhIl9QXxO4qgxQfKh6r9hf0tFV2zhWbPLZ6nFYXr7Tpca/uKCAD6u5FxDQRLF74Vo7Ej3tXba5cjhzazEVtrphTDL0TclNkNVxLMbsALzdegzdFroIO0AipeXntW1w==; 20:Af+VdEALi8pglMMmQPn9RM6yjEI5+mJFgrlgikXzdxIBnBUk9xdYSB9deV8LAK6NKSTrkPBF9MaMWLB7jGx5/C2juSh9lsn/MjX6Cui6hUve17ryZTFf9N25bAsG+w3Om+c6B74t9VsYGLI3tLKQTUumKNgrPLErE8yqF00AVmw= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2017 13:24:55.9541 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB753 Cc: stable@vger.kernel.org, Vladis Dronov X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Vladis Dronov The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is a user-controlled 'uint32_t' value which is used as a loop count limit. This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. References: https://bugzilla.redhat.com/show_bug.cgi?id=1437431 Cc: Signed-off-by: Vladis Dronov Reviewed-by: Sinclair Yeh --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 7681341..baf03d4 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -1279,6 +1279,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, if (req->multisample_count != 0) return -EINVAL; + if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) + return -EINVAL; + if (unlikely(vmw_user_surface_size == 0)) vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + 128;