diff mbox

drm: Add missing field copy in compat_drm_version

Message ID 1499840312-23418-1-git-send-email-jeffy.chen@rock-chips.com (mailing list archive)
State New, archived
Headers show

Commit Message

Jeffy Chen July 12, 2017, 6:18 a.m. UTC 
DRM_IOCTL_VERSION is supposed to update the name_len/date_len/desc_len
fields to user.

Fixes: 012c6741c6aa("switch compat_drm_version() to drm_ioctl_kernel()")
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>

---

 drivers/gpu/drm/drm_ioc32.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Jeffy Chen July 13, 2017, 2:20 a.m. UTC | #1 
Hi guys,

i was testing this on arm64 base chromeos(with arm32 userspace).

and the libdrm crashed:
     drmVersionPtr drmGetVersion(int fd)
     {
     ...
         memclear(*version);

         if (drmIoctl(fd, DRM_IOCTL_VERSION, version)) {
     ...
         if (version->name_len)
             version->name    = drmMalloc(version->name_len + 1); <-- 
rely on the lengths updated by kernel
         if (version->date_len)
             version->date    = drmMalloc(version->date_len + 1);
         if (version->desc_len)
             version->desc    = drmMalloc(version->desc_len + 1);
     ...
         if (version->name_len) version->name[version->name_len] = '\0'; 
<-- crashed here, since the name_len would always be zero, so 
version->name would be nullptr.


On 07/12/2017 02:18 PM, Jeffy Chen wrote:
> DRM_IOCTL_VERSION is supposed to update the name_len/date_len/desc_len
> fields to user.
>
> Fixes: 012c6741c6aa("switch compat_drm_version() to drm_ioctl_kernel()")
> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
> ---
>
>   drivers/gpu/drm/drm_ioc32.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index 94acf51..2789356 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -112,6 +112,9 @@ static int compat_drm_version(struct file *file, unsigned int cmd,
>   	v32.version_major = v.version_major;
>   	v32.version_minor = v.version_minor;
>   	v32.version_patchlevel = v.version_patchlevel;
> +	v32.name_len = v.name_len;
> +	v32.date_len = v.date_len;
> +	v32.desc_len = v.desc_len;
>   	if (copy_to_user((void __user *)arg, &v32, sizeof(v32)))
>   		return -EFAULT;
>   	return 0;
>
>
Daniel Vetter July 13, 2017, 12:36 p.m. UTC | #2 
On Wed, Jul 12, 2017 at 02:18:32PM +0800, Jeffy Chen wrote:
> DRM_IOCTL_VERSION is supposed to update the name_len/date_len/desc_len
> fields to user.
> 
> Fixes: 012c6741c6aa("switch compat_drm_version() to drm_ioctl_kernel()")
> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Linus, since Dave is a bit out with flu and this bug only exists in your
tree (not yet in drm-next), can you pls apply this directly? It's a fumble
in Al's rework. Direct mbox link from patchwork, in case you don't have
that in your archives anywhere:

https://patchwork.freedesktop.org/patch/166318/mbox/

Thanks, Daniel

> 
> ---
> 
>  drivers/gpu/drm/drm_ioc32.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index 94acf51..2789356 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -112,6 +112,9 @@ static int compat_drm_version(struct file *file, unsigned int cmd,
>  	v32.version_major = v.version_major;
>  	v32.version_minor = v.version_minor;
>  	v32.version_patchlevel = v.version_patchlevel;
> +	v32.name_len = v.name_len;
> +	v32.date_len = v.date_len;
> +	v32.desc_len = v.desc_len;
>  	if (copy_to_user((void __user *)arg, &v32, sizeof(v32)))
>  		return -EFAULT;
>  	return 0;
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
Al Viro July 14, 2017, 1:39 a.m. UTC | #3 
On Thu, Jul 13, 2017 at 02:36:55PM +0200, Daniel Vetter wrote:
> On Wed, Jul 12, 2017 at 02:18:32PM +0800, Jeffy Chen wrote:
> > DRM_IOCTL_VERSION is supposed to update the name_len/date_len/desc_len
> > fields to user.
> > 
> > Fixes: 012c6741c6aa("switch compat_drm_version() to drm_ioctl_kernel()")
> > Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
> 
> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> 
> Linus, since Dave is a bit out with flu and this bug only exists in your
> tree (not yet in drm-next), can you pls apply this directly? It's a fumble
> in Al's rework. Direct mbox link from patchwork, in case you don't have
> that in your archives anywhere:

(Belated) ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
diff mbox

Patch

diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index 94acf51..2789356 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -112,6 +112,9 @@  static int compat_drm_version(struct file *file, unsigned int cmd,
 	v32.version_major = v.version_major;
 	v32.version_minor = v.version_minor;
 	v32.version_patchlevel = v.version_patchlevel;
+	v32.name_len = v.name_len;
+	v32.date_len = v.date_len;
+	v32.desc_len = v.desc_len;
 	if (copy_to_user((void __user *)arg, &v32, sizeof(v32)))
 		return -EFAULT;
 	return 0;