| Message ID | 20170818064054.tjp7mqxzuwbruvj7@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Quoting Dan Carpenter (2017-08-18 08:07:00) > There are some potential integer overflows here on 64 bit systems. > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > check for now and look a couple lines after: > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > ^^^^^^^^^^^ > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply > by two, it's going to have an integer overflow. The multiplication by > sizeof(u32) is OK because that gets type promoted to size_t. This patch > changes the access_ok() check to use sizeof(*user) which fixes the > integer overflow and is also more readable. > > The "args->buffer_count" variable is an unsigned int as well so it could > overflow if it's set to UINT_MAX when we do: > > exec2_list = kvmalloc_array(args->buffer_count + 1, sz, > ^^^^^^^^^^^^^^^^^^^^^^ > > Originally, those two integer overflow checks were against UINT_MAX > instead of SIZE_MAX and this patch changes them back. > > Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: Use sizeof(*users) Please do consider my alternative. -Chris
On Fri, Aug 18, 2017 at 08:46:25AM +0100, Chris Wilson wrote: > Quoting Dan Carpenter (2017-08-18 08:07:00) > > There are some potential integer overflows here on 64 bit systems. > > > > The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be > > true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the > > check for now and look a couple lines after: > > > > if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) > > ^^^^^^^^^^^ > > "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply > > by two, it's going to have an integer overflow. The multiplication by > > sizeof(u32) is OK because that gets type promoted to size_t. This patch > > changes the access_ok() check to use sizeof(*user) which fixes the > > integer overflow and is also more readable. > > > > The "args->buffer_count" variable is an unsigned int as well so it could > > overflow if it's set to UINT_MAX when we do: > > > > exec2_list = kvmalloc_array(args->buffer_count + 1, sz, > > ^^^^^^^^^^^^^^^^^^^^^^ > > > > Originally, those two integer overflow checks were against UINT_MAX > > instead of SIZE_MAX and this patch changes them back. > > > > Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > v2: Use sizeof(*users) > > Please do consider my alternative. I don't think you sent the email? I haven't recieved any emails from you on either my oracle.com address or through the kernel janitors list. Can you resend? regards dan carpenter
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 15ab3e6792f9..11419b81cf13 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -2156,7 +2156,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args, return ERR_PTR(-EINVAL); user = u64_to_user_ptr(args->cliprects_ptr); - if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) + if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user))) return ERR_PTR(-EFAULT); fences = kvmalloc_array(args->num_cliprects, sizeof(*fences), @@ -2520,7 +2520,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, unsigned int i; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; } @@ -2609,7 +2609,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, struct drm_syncobj **fences = NULL; int err; - if (args->buffer_count < 1 || args->buffer_count > SIZE_MAX / sz - 1) { + if (args->buffer_count < 1 || args->buffer_count > UINT_MAX / sz - 1) { DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); return -EINVAL; }
There are some potential integer overflows here on 64 bit systems. The condition "if (nfences > SIZE_MAX / sizeof(*fences))" can only be true on 32 bit systems, it's a no-op on 64 bit, so let's ignore the check for now and look a couple lines after: if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32))) ^^^^^^^^^^^ "nfences" is an unsigned int, so if we set it to UINT_MAX and multiply by two, it's going to have an integer overflow. The multiplication by sizeof(u32) is OK because that gets type promoted to size_t. This patch changes the access_ok() check to use sizeof(*user) which fixes the integer overflow and is also more readable. The "args->buffer_count" variable is an unsigned int as well so it could overflow if it's set to UINT_MAX when we do: exec2_list = kvmalloc_array(args->buffer_count + 1, sz, ^^^^^^^^^^^^^^^^^^^^^^ Originally, those two integer overflow checks were against UINT_MAX instead of SIZE_MAX and this patch changes them back. Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: Use sizeof(*users)