diff mbox

drm/i915: Fix integer overflow tests

Message ID 20170817062310.rc6ol2c5vttvrjlx@mwanda (mailing list archive)
State New, archived
Headers show

Commit Message

Dan Carpenter Aug. 17, 2017, 6:23 a.m. UTC 
There are some potential integer overflows here on 64 bit systems.

The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
check for now and look a couple lines after:

	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
                                          ^^^^^^^^^^^
"nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
by two, it's going to have an integer overflow.  The "args->buffer_count"
is also an unsigned int so it could overflow if it's set to UINT_MAX
when we do:

	exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
                                    ^^^^^^^^^^^^^^^^^^^^^^
Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Imre Deak Aug. 17, 2017, 9:37 a.m. UTC | #1 
On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> There are some potential integer overflows here on 64 bit systems.
> 
> The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> check for now and look a couple lines after:
> 
> 	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
>                                           ^^^^^^^^^^^
> "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> by two, it's going to have an integer overflow.  

AFAICS it wouldn't overflow due the promotion to unsigned long
by '* sizeof(u32)'.

> The "args->buffer_count"
> is also an unsigned int so it could overflow if it's set to UINT_MAX
> when we do:
> 
> 	exec2_list = kvmalloc_array(args->buffer_count + 1, sz,
>                                     ^^^^^^^^^^^^^^^^^^^^^^

Yes, this could overflow.

> Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> index 15ab3e6792f9..f569721aad1a 100644
> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> @@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>  	if (!(args->flags & I915_EXEC_FENCE_ARRAY))
>  		return NULL;
>  
> -	if (nfences > SIZE_MAX / sizeof(*fences))
> +	if (nfences > UINT_MAX / sizeof(*fences))
>  		return ERR_PTR(-EINVAL);
>  
>  	user = u64_to_user_ptr(args->cliprects_ptr);
> @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
>  	unsigned int i;
>  	int err;
>  
> -	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
> +	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
>  		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
>  		return -EINVAL;
>  	}
> @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
>  	struct drm_syncobj **fences = NULL;
>  	int err;
>  
> -	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
> +	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
>  		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
>  		return -EINVAL;
>  	}
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
Dan Carpenter Aug. 17, 2017, 9:50 a.m. UTC | #2 
On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > There are some potential integer overflows here on 64 bit systems.
> > 
> > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > check for now and look a couple lines after:
> > 
> > 	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> >                                           ^^^^^^^^^^^
> > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > by two, it's going to have an integer overflow.  
> 
> AFAICS it wouldn't overflow due the promotion to unsigned long
> by '* sizeof(u32)'.
> 

It first multplies "nfences * 2" as unsigned int, then it type promotes
to size_t and multiplies by sizeof().  Only the first multiplication has
an integer overflow bug.

regards,
dan carpenter
Imre Deak Aug. 17, 2017, 9:56 a.m. UTC | #3 
On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > There are some potential integer overflows here on 64 bit systems.
> > > 
> > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > check for now and look a couple lines after:
> > > 
> > > 	if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > >                                           ^^^^^^^^^^^
> > > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply
> > > by two, it's going to have an integer overflow.  
> > 
> > AFAICS it wouldn't overflow due the promotion to unsigned long
> > by '* sizeof(u32)'.
> > 
> 
> It first multplies "nfences * 2" as unsigned int, then it type promotes
> to size_t and multiplies by sizeof().  Only the first multiplication has
> an integer overflow bug.

Err, that's correct. Sorry for the noise.

> 
> regards,
> dan carpenter
>
Jason Ekstrand Aug. 17, 2017, 2:16 p.m. UTC | #4 
On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote:

> On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > > There are some potential integer overflows here on 64 bit systems.
> > > >
> > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > > check for now and look a couple lines after:
> > > >
> > > >   if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > > >                                           ^^^^^^^^^^^
> > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and
> multiply
> > > > by two, it's going to have an integer overflow.
> > >
> > > AFAICS it wouldn't overflow due the promotion to unsigned long
> > > by '* sizeof(u32)'.
> > >
> >
> > It first multplies "nfences * 2" as unsigned int, then it type promotes
> > to size_t and multiplies by sizeof().  Only the first multiplication has
> > an integer overflow bug.
>
> Err, that's correct. Sorry for the noise.
>

Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)".  That's
what we really want to check.  I have no idea how it ended up being "2 *
sizeof(u32)"

--Jason
Dan Carpenter Aug. 17, 2017, 2:32 p.m. UTC | #5 
On Thu, Aug 17, 2017 at 07:16:03AM -0700, Jason Ekstrand wrote:
> On Thu, Aug 17, 2017 at 2:56 AM, Imre Deak <imre.deak@intel.com> wrote:
> 
> > On Thu, Aug 17, 2017 at 12:50:37PM +0300, Dan Carpenter wrote:
> > > On Thu, Aug 17, 2017 at 12:37:00PM +0300, Imre Deak wrote:
> > > > On Thu, Aug 17, 2017 at 09:23:10AM +0300, Dan Carpenter wrote:
> > > > > There are some potential integer overflows here on 64 bit systems.
> > > > >
> > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be
> > > > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the
> > > > > check for now and look a couple lines after:
> > > > >
> > > > >   if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
> > > > >                                           ^^^^^^^^^^^
> > > > > "nfences" is an unsigned int, so if we set it to UINT_MAX and
> > multiply
> > > > > by two, it's going to have an integer overflow.
> > > >
> > > > AFAICS it wouldn't overflow due the promotion to unsigned long
> > > > by '* sizeof(u32)'.
> > > >
> > >
> > > It first multplies "nfences * 2" as unsigned int, then it type promotes
> > > to size_t and multiplies by sizeof().  Only the first multiplication has
> > > an integer overflow bug.
> >
> > Err, that's correct. Sorry for the noise.
> >
> 
> Why not just replace the "2 * sizeof(u32)" with a "sizeof(*user)".  That's
> what we really want to check.  I have no idea how it ended up being "2 *
> sizeof(u32)"

Yeah.  That's more readable.  I will resend.

regards,
dan carpenter
diff mbox

Patch

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 15ab3e6792f9..f569721aad1a 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -2152,7 +2152,7 @@  get_fence_array(struct drm_i915_gem_execbuffer2 *args,
 	if (!(args->flags & I915_EXEC_FENCE_ARRAY))
 		return NULL;
 
-	if (nfences > SIZE_MAX / sizeof(*fences))
+	if (nfences > UINT_MAX / sizeof(*fences))
 		return ERR_PTR(-EINVAL);
 
 	user = u64_to_user_ptr(args->cliprects_ptr);
@@ -2520,7 +2520,7 @@  i915_gem_execbuffer(struct drm_device *dev, void *data,
 	unsigned int i;
 	int err;
 
-	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
 		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
 		return -EINVAL;
 	}
@@ -2609,7 +2609,7 @@  i915_gem_execbuffer2(struct drm_device *dev, void *data,
 	struct drm_syncobj **fences = NULL;
 	int err;
 
-	if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) {
+	if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) {
 		DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
 		return -EINVAL;
 	}