Message ID | 20170817062310.rc6ol2c5vttvrjlx@mwanda (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote: > There are some potential integer overflows here on 64 bit systems. > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > check for now and look a couple lines after: > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > ^^^^^^^^^^^ > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply > by two, it's going to have an integer overflow. AFAICS it wouldn't overflow due the promotion to unsigned long by '* sizeof(u32)'. > The "args->buffer_count" > is also an unsigned int so it could overflow if it's set to UINT_MAX > when we do: > > exec2_list = kvmalloc_array(args->buffer_count + 1, sz, > ^^^^^^^^^^^^^^^^^^^^^^ Yes, this could overflow. > Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c > index 15ab3e6792f9..f569721aad1a 100644 > --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c > +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c > @@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args, > if (!(args->flags & I915_EXEC_FENCE_ARRAY)) > return NULL; > > - if (nfences > SIZE_MAX / sizeof(*fences)) > + if (nfences > UINT_MAX / sizeof(*fences)) > return ERR_PTR(-EINVAL); > > user = u64_to_user_ptr(args->cliprects_ptr); > @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, > unsigned int i; > int err; > > - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { > + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { > DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); > return -EINVAL; > } > @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, > struct drm_syncobj **fences = NULL; > int err; > > - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { > + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { > DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); > return -EINVAL; > } > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote: > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote: > > There are some potential integer overflows here on 64 bit systems. > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > > check for now and look a couple lines after: > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > > ^^^^^^^^^^^ > > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply > > by two, it's going to have an integer overflow. > > AFAICS it wouldn't overflow due the promotion to unsigned long > by '* sizeof(u32)'. > It first multplies "nfences * 2" as unsigned int, then it type promotes to size_t and multiplies by sizeof(). Only the first multiplication has an integer overflow bug. regards, dan carpenter
On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote: > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote: > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote: > > > There are some potential integer overflows here on 64 bit systems. > > > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > > > check for now and look a couple lines after: > > > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > > > ^^^^^^^^^^^ > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply > > > by two, it's going to have an integer overflow. > > > > AFAICS it wouldn't overflow due the promotion to unsigned long > > by '* sizeof(u32)'. > > > > It first multplies "nfences * 2" as unsigned int, then it type promotes > to size_t and multiplies by sizeof(). Only the first multiplication has > an integer overflow bug. Err, that's correct. Sorry for the noise. > > regards, > dan carpenter >
On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote: > On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote: > > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote: > > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote: > > > > There are some potential integer overflows here on 64 bit systems. > > > > > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > > > > check for now and look a couple lines after: > > > > > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > > > > ^^^^^^^^^^^ > > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and > multiply > > > > by two, it's going to have an integer overflow. > > > > > > AFAICS it wouldn't overflow due the promotion to unsigned long > > > by '* sizeof(u32)'. > > > > > > > It first multplies "nfences * 2" as unsigned int, then it type promotes > > to size_t and multiplies by sizeof(). Only the first multiplication has > > an integer overflow bug. > > Err, that's correct. Sorry for the noise. > Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)". That's what we really want to check. I have no idea how it ended up being "2 * sizeof(u32)" --Jason
On Thu, Aug 17, 2017 at 07:16:03AM -0700, Jason Ekstrand wrote: > On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote: > > > On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote: > > > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote: > > > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote: > > > > > There are some potential integer overflows here on 64 bit systems. > > > > > > > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > > > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > > > > > check for now and look a couple lines after: > > > > > > > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > > > > > ^^^^^^^^^^^ > > > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and > > multiply > > > > > by two, it's going to have an integer overflow. > > > > > > > > AFAICS it wouldn't overflow due the promotion to unsigned long > > > > by '* sizeof(u32)'. > > > > > > > > > > It first multplies "nfences * 2" as unsigned int, then it type promotes > > > to size_t and multiplies by sizeof(). Only the first multiplication has > > > an integer overflow bug. > > > > Err, that's correct. Sorry for the noise. > > > > Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)". That's > what we really want to check. I have no idea how it ended up being "2 * > sizeof(u32)" Yeah. That's more readable. I will resend. regards, dan carpenter
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 15ab3e6792f9..f569721aad1a 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args, if (!(args->flags & I915_EXEC_FENCE_ARRAY)) return NULL; - if (nfences > SIZE_MAX / sizeof(*fences)) + if (nfences > UINT_MAX / sizeof(*fences)) return ERR_PTR(-EINVAL); user = u64_to_user_ptr(args->cliprects_ptr); @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, unsigned int i; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; } @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, struct drm_syncobj **fences = NULL; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; }
There are some potential integer overflows here on 64 bit systems. The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the check for now and look a couple lines after: if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) ^^^^^^^^^^^ "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply by two, it's going to have an integer overflow. The "args->buffer_count" is also an unsigned int so it could overflow if it's set to UINT_MAX when we do: exec2_list = kvmalloc_array(args->buffer_count + 1, sz, ^^^^^^^^^^^^^^^^^^^^^^ Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>