| Message ID | 20220401213114.11956-1-paskripkin@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [next,v2] dma-buf/sync-file: do not allow zero size allocation | expand |
Am 01.04.22 um 23:31 schrieb Pavel Skripkin: > num_fences is user-controlled value and it can be equal to 0. Code > should not pass 0 to kcalloc(), since it will cause kcalloc() to return > ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic > because of dereferencing ZERO_PTR in add_fence() > > Fix it by validating num_fences and bail out early if it is equal to 0 Well there are multiple issues with this patch. First of all as I wrote before it shouldn't be possible that num_fences is zero. We could still just add this as a precaution, but then bailing out is the wrong thing to do here. Instead we should then make sure to allocate at least one slot for a fence in the array. But I think the cleanest would just be to not add a fence into the array in the first place when num_fences is zero. Regards, Christian. > > Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers") > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> > --- > > Changes since v1: > - Dropped already merged part > - Removed syzkaller's tag > > --- > drivers/dma-buf/sync_file.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c > index b8dea4ec123b..024f22193e0c 100644 > --- a/drivers/dma-buf/sync_file.c > +++ b/drivers/dma-buf/sync_file.c > @@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a, > dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence) > ++num_fences; > > - if (num_fences > INT_MAX) > + if (num_fences > INT_MAX || !num_fences) > goto err_free_sync_file; > > fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c index b8dea4ec123b..024f22193e0c 100644 --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a, dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence) ++num_fences; - if (num_fences > INT_MAX) + if (num_fences > INT_MAX || !num_fences) goto err_free_sync_file; fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
num_fences is user-controlled value and it can be equal to 0. Code should not pass 0 to kcalloc(), since it will cause kcalloc() to return ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic because of dereferencing ZERO_PTR in add_fence() Fix it by validating num_fences and bail out early if it is equal to 0 Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- Changes since v1: - Dropped already merged part - Removed syzkaller's tag --- drivers/dma-buf/sync_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)