From patchwork Fri Aug 18 07:07:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 9907687 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C927C60382 for ; Fri, 18 Aug 2017 07:08:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB18228C4D for ; Fri, 18 Aug 2017 07:08:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A9E3E28C62; Fri, 18 Aug 2017 07:08:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2817128C4D for ; Fri, 18 Aug 2017 07:08:46 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 721F76E67D; Fri, 18 Aug 2017 07:08:45 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by gabe.freedesktop.org (Postfix) with ESMTPS id C7AB26E6A4; Fri, 18 Aug 2017 07:08:44 +0000 (UTC) Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v7I77N3a000449 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 18 Aug 2017 07:07:24 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v7I77Mbh014496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 18 Aug 2017 07:07:22 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v7I77JKA017545; Fri, 18 Aug 2017 07:07:21 GMT Received: from mwanda (/41.202.241.50) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 18 Aug 2017 00:07:18 -0700 Date: Fri, 18 Aug 2017 10:07:00 +0300 From: Dan Carpenter To: Daniel Vetter , Jason Ekstrand , Chris Wilson Message-ID: <20170818064054.tjp7mqxzuwbruvj7@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170609 (1.8.3) X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: David Airlie , intel-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: [Intel-gfx] [PATCH v2] drm/i915: Fix integer overflow tests X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Virus-Scanned: ClamAV using ClamSMTP There are some potential integer overflows here on 64 bit systems. The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the check for now and look a couple lines after: if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) ^^^^^^^^^^^ "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply by two, it's going to have an integer overflow. The multiplication by sizeof(u32) is OK because that gets type promoted to size_t. This patch changes the access_ok() check to use sizeof(*user) which fixes the integer overflow and is also more readable. The "args->buffer_count" variable is an unsigned int as well so it could overflow if it's set to UINT_MAX when we do: exec2_list = kvmalloc_array(args->buffer_count + 1, sz, ^^^^^^^^^^^^^^^^^^^^^^ Originally, those two integer overflow checks were against UINT_MAX instead of SIZE_MAX and this patch changes them back. Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") Signed-off-by: Dan Carpenter --- v2: Use sizeof(*users) diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 15ab3e6792f9..11419b81cf13 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -2156,7 +2156,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args, return ERR_PTR(-EINVAL); user = u64_to_user_ptr(args->cliprects_ptr); - if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) + if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user))) return ERR_PTR(-EFAULT); fences = kvmalloc_array(args->num_cliprects, sizeof(*fences), @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, unsigned int i; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; } @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, struct drm_syncobj **fences = NULL; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; }