From patchwork Tue Feb 19 18:40:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Crouse X-Patchwork-Id: 10820585 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5C9716C2 for ; Tue, 19 Feb 2019 18:40:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 525912CBC0 for ; Tue, 19 Feb 2019 18:40:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 467432D1F7; Tue, 19 Feb 2019 18:40:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 06A9E2CBC0 for ; Tue, 19 Feb 2019 18:40:28 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 98D1B891E7; Tue, 19 Feb 2019 18:40:25 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from smtp.codeaurora.org (smtp.codeaurora.org [198.145.29.96]) by gabe.freedesktop.org (Postfix) with ESMTPS id B1D2F891E7; Tue, 19 Feb 2019 18:40:24 +0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 741F8608CB; Tue, 19 Feb 2019 18:40:24 +0000 (UTC) Received: from jcrouse1-lnx.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jcrouse@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 149B76071A; Tue, 19 Feb 2019 18:40:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 149B76071A From: Jordan Crouse To: freedreno@lists.freedesktop.org Subject: [PATCH RESEND] drm/msm: Truncate the buffer object name if the copy from user failed Date: Tue, 19 Feb 2019 11:40:19 -0700 Message-Id: <1550601619-31051-1-git-send-email-jcrouse@codeaurora.org> X-Mailer: git-send-email 2.7.4 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1550601624; bh=4WeQi5pHEagIekTpfofuvsBh5mLfS6PKxqY7YzpnRjE=; h=From:To:Cc:Subject:Date:From; b=bdYteH5R3Xcn3ODruBvwZhV9ear62mbSjSpGk57YCgiKeNjGy54Iv0NuPERkIor4W dbkThPdSxlnC6NN2GryxLA1cl1mkf6P6qd7Wksz/WaVzZ3lWvgLGhsFfwoJk1IHQ+n zRdak6QzEOeFkw9kqhH4NIxbffnYDzc2Ra910smI= X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1550601623; bh=4WeQi5pHEagIekTpfofuvsBh5mLfS6PKxqY7YzpnRjE=; h=From:To:Cc:Subject:Date:From; b=lynlJm2+Ykvq0O2tLeavfYTkUj9cqftU/Upnw6EWMtKFw+0H/7wV5Tp7mSJFIRZ64 zxfuZ2WKTLIbK3+ORFEZZs+U/O5JBXOWOtpKc0JW1IqwrlQh14fhMIPXsldT89xJ5h LOG82islAS4Uc85u7j3bA1fTR3YEkxiE2eXCan04= X-Mailman-Original-Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org X-Mailman-Original-Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=jcrouse@codeaurora.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Airlie , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Sean Paul , Dan Carpenter MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP (Resend since there was a compile error that I forgot to commit before sending) If there is a error while doing a copy_from_user() for MSM_INFO_SET_NAME make sure to truncate the object name so that there isn't a chance that we'll have random data in the string. This is on top of [1] reported and fixed by Dan Carpenter. [1] https://patchwork.freedesktop.org/series/56656/ Fixes: f05c83e77460 ("drm/msm: add uapi to get/set debug name") Reported-by: Dan Carpenter Signed-off-by: Jordan Crouse Reviewed-by: Sean Paul --- drivers/gpu/drm/msm/msm_drv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 87eae44..906b2bb 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -852,8 +852,11 @@ static int msm_ioctl_gem_info(struct drm_device *dev, void *data, break; } if (copy_from_user(msm_obj->name, u64_to_user_ptr(args->value), - args->len)) + args->len)) { + msm_obj->name[0] = '\0'; ret = -EFAULT; + break; + } msm_obj->name[args->len] = '\0'; for (i = 0; i < args->len; i++) { if (!isprint(msm_obj->name[i])) {