[v2,7/8] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input

Message ID	1415288961-14464-8-git-send-email-thierry.reding@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Thierry Reding <thierry.reding@gmail.com> To: Dave Airlie <airlied@redhat.com> Subject: [PATCH v2 7/8] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input Date: Thu, 6 Nov 2014 16:49:20 +0100 Message-Id: <1415288961-14464-8-git-send-email-thierry.reding@gmail.com> In-Reply-To: <1415288961-14464-1-git-send-email-thierry.reding@gmail.com> References: <1415193919-1687-1-git-send-email-thierry.reding@gmail.com> <1415288961-14464-1-git-send-email-thierry.reding@gmail.com> Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>, Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org, Tomi Valkeinen <tomi.valkeinen@ti.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Russell King <rmk+kernel@arm.linux.org.uk> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

1415288961-14464-8-git-send-email-thierry.reding@gmail.com (mailing list archive)

State

New, archived

Headers

From: Thierry Reding <thierry.reding@gmail.com>
To: Dave Airlie <airlied@redhat.com>
Subject: [PATCH v2 7/8] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
Date: Thu,  6 Nov 2014 16:49:20 +0100
Message-Id: <1415288961-14464-8-git-send-email-thierry.reding@gmail.com>
In-Reply-To: <1415288961-14464-1-git-send-email-thierry.reding@gmail.com>
References: <1415193919-1687-1-git-send-email-thierry.reding@gmail.com>
	<1415288961-14464-1-git-send-email-thierry.reding@gmail.com>
Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>,
	Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org, 
	Tomi Valkeinen <tomi.valkeinen@ti.com>,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Russell King <rmk+kernel@arm.linux.org.uk>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Commit Message

Thierry Reding Nov. 6, 2014, 3:49 p.m. UTC

From: Thierry Reding <treding@nvidia.com>

Some drivers treat the pitch and size fields as inputs and will use them
as minima provided by userspace so that they are only overwritten if the
minimal requirements of the driver exceed them.

This can cause strange behaviour when applications don't zero out these
fields, causing whatever was on the stack to be passed to the IOCTL. In
a typical case this would become visible as a failed allocation if the
pitch or size were unusually high. But this could also cause more subtle
bugs like overallocating dumb framebuffers.

To prevent drivers from misusing these values, make the DRM core zero
out the pitch and size fields before passing the structure to the driver
implementation.

While at it, also set the output handle field to zero for good measure,
even though it's less likely to be abused.

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Thierry Reding <treding@nvidia.com>
---
Changes in v2:
- add a comment about why we can't simply reject non-zero output fields
---
 drivers/gpu/drm/drm_crtc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 0f3c24c0981b..4d7a7699772d 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4755,6 +4755,16 @@  int drm_mode_create_dumb_ioctl(struct drm_device *dev,
 	if (PAGE_ALIGN(size) == 0)
 		return -EINVAL;
 
+	/*
+	 * handle, pitch and size are output parameters. Zero them out to
+	 * prevent drivers from accidentally using uninitialized data. Since
+	 * not all existing userspace is clearing these fields properly we
+	 * cannot reject IOCTL with garbage in them.
+	 */
+	args->handle = 0;
+	args->pitch = 0;
+	args->size = 0;
+
 	return dev->driver->dumb_create(file_priv, dev, args);
 }

[v2,7/8] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input

Commit Message

Patch