Message ID | ZQSlyHKPdw/zsy4c@work (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [next] drm/gud: Use size_add() in call to struct_size() | expand |
On Fri, Sep 15, 2023 at 12:43:20PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, the > protection that `struct_size()` adds against potential integer overflows > is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. > > Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver") > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> > --- > drivers/gpu/drm/gud/gud_pipe.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c > index d2f199ea3c11..a02f75be81f0 100644 > --- a/drivers/gpu/drm/gud/gud_pipe.c > +++ b/drivers/gpu/drm/gud/gud_pipe.c > @@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe, > return -ENOENT; > > len = struct_size(req, properties, > - GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM); > + size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM)); There are both constant expressions, so there's not too much value in wrapping them with size_add(), but for maintaining a common coding style for dealing with allocation sizes, I can be convinced of the change. :) Reviewed-by: Kees Cook <keescook@chromium.org> > req = kzalloc(len, GFP_KERNEL); > if (!req) > return -ENOMEM; > -- > 2.34.1 >
On 9/15/23 12:52, Kees Cook wrote: > On Fri, Sep 15, 2023 at 12:43:20PM -0600, Gustavo A. R. Silva wrote: >> If, for any reason, the open-coded arithmetic causes a wraparound, the >> protection that `struct_size()` adds against potential integer overflows >> is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. >> >> Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver") >> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> >> --- >> drivers/gpu/drm/gud/gud_pipe.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c >> index d2f199ea3c11..a02f75be81f0 100644 >> --- a/drivers/gpu/drm/gud/gud_pipe.c >> +++ b/drivers/gpu/drm/gud/gud_pipe.c >> @@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe, >> return -ENOENT; >> >> len = struct_size(req, properties, >> - GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM); >> + size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM)); > > There are both constant expressions, so there's not too much value in > wrapping them with size_add(), but for maintaining a common coding style > for dealing with allocation sizes, I can be convinced of the change. :) Yep; I've found a mix of constant expressions and variables doing open-coded arithmetic in `struct_size()`, so I'm sending them all. > > Reviewed-by: Kees Cook <keescook@chromium.org> Thanks! -- Gustavo > > >> req = kzalloc(len, GFP_KERNEL); >> if (!req) >> return -ENOMEM; >> -- >> 2.34.1 >> >
On Fri, 15 Sep 2023 12:43:20 -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, the > protection that `struct_size()` adds against potential integer overflows > is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. > > Applied to for-next/hardening, thanks! [1/1] drm/gud: Use size_add() in call to struct_size() https://git.kernel.org/kees/c/836ccb46073e Take care,
diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c index d2f199ea3c11..a02f75be81f0 100644 --- a/drivers/gpu/drm/gud/gud_pipe.c +++ b/drivers/gpu/drm/gud/gud_pipe.c @@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe, return -ENOENT; len = struct_size(req, properties, - GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM); + size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM)); req = kzalloc(len, GFP_KERNEL); if (!req) return -ENOMEM;
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver") Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/gpu/drm/gud/gud_pipe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)