From patchwork Thu Aug 17 06:23:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 9905029 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DB12560244 for ; Thu, 17 Aug 2017 06:24:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD1D528AAB for ; Thu, 17 Aug 2017 06:24:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C1B5828AB3; Thu, 17 Aug 2017 06:24:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7C2E228AAB for ; Thu, 17 Aug 2017 06:24:13 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id BC7DF8973E; Thu, 17 Aug 2017 06:24:11 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4B893895B9; Thu, 17 Aug 2017 06:24:10 +0000 (UTC) Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v7H6NLN9029187 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Aug 2017 06:23:22 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v7H6NLsJ032715 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Aug 2017 06:23:21 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v7H6NGjI026558; Thu, 17 Aug 2017 06:23:18 GMT Received: from mwanda (/41.202.241.23) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 16 Aug 2017 23:23:15 -0700 Date: Thu, 17 Aug 2017 09:23:10 +0300 From: Dan Carpenter To: Daniel Vetter , Jason Ekstrand , Chris Wilson Subject: [PATCH] drm/i915: Fix integer overflow tests Message-ID: <20170817062310.rc6ol2c5vttvrjlx@mwanda> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170609 (1.8.3) X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: intel-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP There are some potential integer overflows here on 64 bit systems. The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the check for now and look a couple lines after: if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) ^^^^^^^^^^^ "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply by two, it's going to have an integer overflow. The "args->buffer_count" is also an unsigned int so it could overflow if it's set to UINT_MAX when we do: exec2_list = kvmalloc_array(args->buffer_count + 1, sz, ^^^^^^^^^^^^^^^^^^^^^^ Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 15ab3e6792f9..f569721aad1a 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -2152,7 +2152,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args, if (!(args->flags & I915_EXEC_FENCE_ARRAY)) return NULL; - if (nfences > SIZE_MAX / sizeof(*fences)) + if (nfences > UINT_MAX / sizeof(*fences)) return ERR_PTR(-EINVAL); user = u64_to_user_ptr(args->cliprects_ptr); @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, unsigned int i; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; } @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, struct drm_syncobj **fences = NULL; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; }