From patchwork Thu Aug 28 13:50:01 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Herrmann <dh.herrmann@gmail.com>
X-Patchwork-Id: 4804771
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id C57629F38C
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 28 Aug 2014 13:50:30 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9ED3620155
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 28 Aug 2014 13:50:29 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 894602011D
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 28 Aug 2014 13:50:28 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id B7D296E257;
	Thu, 28 Aug 2014 06:50:26 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com
	[74.125.82.41])
	by gabe.freedesktop.org (Postfix) with ESMTP id E57486E257
	for <dri-devel@lists.freedesktop.org>;
	Thu, 28 Aug 2014 06:50:24 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id l18so761784wgh.0
	for <dri-devel@lists.freedesktop.org>;
	Thu, 28 Aug 2014 06:50:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=2/kn+9TilE7Q7Lp4UKnRv2fDRv+ScATSHTgY5T9yziE=;
	b=Nf8iajao+wv0BhVCX8kKzj+WD7N4Mgf+2+aAYwj4AiJaOWOPmYVYl5SWJArixqmT09
	kiT9AKiPmnmTco6IKDjTe8xwNih0AoAuJkU+Kfym5VVtvhUsXp6Dzz0HwEmQvkzvA7Kg
	3uUG2EWvu8igaeEBml7/veFXNOXGABHSBZg7VVXJuNMIHUmdw42y7ccJsHNomalxtGfi
	Xe67u00Bga2w+2Qu2+MOqmQHEpdOELftyP10TqYMgNAEt/MyMeVz4aO/9iDnDsNQ93Hz
	usKthZ6UaFu3iZywwKKFaDUWAPcW5eQfRQMznFfAdPz+iaQfEe7V0hRXmCT/4VHeM/nG
	v0Tg==
X-Received: by 10.180.104.163 with SMTP id gf3mr37167940wib.24.1409233821257;
	Thu, 28 Aug 2014 06:50:21 -0700 (PDT)
Received: from david-tp.localdomain (stgt-5f7172a4.pool.mediaWays.net.
	[95.113.114.164]) by mx.google.com with ESMTPSA id
	ew1sm10105947wjb.31.2014.08.28.06.50.19 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 28 Aug 2014 06:50:20 -0700 (PDT)
From: David Herrmann <dh.herrmann@gmail.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH v2] drm: fix division-by-zero on dumb_create()
Date: Thu, 28 Aug 2014 15:50:01 +0200
Message-Id: <1409233801-11928-1-git-send-email-dh.herrmann@gmail.com>
X-Mailer: git-send-email 2.1.0
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD,
	T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument
bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before
using it in the following division.

Note that DIV_ROUND_UP() is defined as:
        #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))

..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX.

Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
---
v2: add comment that DIV_ROUND_UP() might overflow
    add Rob's r-b

 drivers/gpu/drm/drm_crtc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index f09b752..61b6978 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4720,8 +4720,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
 		return -EINVAL;
 
 	/* overflow checks for 32bit size calculations */
-	cpp = DIV_ROUND_UP(args->bpp, 8);
-	if (cpp > 0xffffffffU / args->width)
+	cpp = DIV_ROUND_UP(args->bpp, 8); /* might overflow! */
+	if (!cpp || cpp > 0xffffffffU / args->width)
 		return -EINVAL;
 	stride = cpp * args->width;
 	if (args->height > 0xffffffffU / stride)