| Message ID | 20210915192318.2061-1-tim.gardner@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915: zero fill vma name buffer | expand |
On 15/09/2021 20:23, Tim Gardner wrote: > In capture_vma() Coverity complains of a possible buffer overrun. Even > though this is a static function where all call sites can be checked, > limiting the copy length could save some future grief. > > CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) > 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name > by copying name without checking the length. > 5. parameter_as_source: Note: This defect has an elevated risk because the > source argument is a parameter of the current function. > 1326 strcpy(c->name, name); > > Fix any possible overflows by using strncpy(). Zero fill the name buffer to > guarantee ASCII string NULL termination. > > Cc: Jani Nikula <jani.nikula@linux.intel.com> > Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> > Cc: David Airlie <airlied@linux.ie> > Cc: Daniel Vetter <daniel@ffwll.ch> > Cc: intel-gfx@lists.freedesktop.org > Cc: dri-devel@lists.freedesktop.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > index 9cf6ac575de1..154df174e2d7 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, > return simulated; > } > > +#define VMA_NAME_LEN 16 > struct intel_engine_capture_vma { > struct intel_engine_capture_vma *next; > struct i915_vma *vma; > - char name[16]; > + char name[VMA_NAME_LEN]; > }; > > static struct intel_engine_capture_vma * > @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, > if (!vma) > return next; > > - c = kmalloc(sizeof(*c), gfp); > + c = kzalloc(sizeof(*c), gfp); > if (!c) > return next; > > @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, > return next; > } > > - strcpy(c->name, name); > + strncpy(c->name, name, VMA_NAME_LEN-1); GCC is supposed to catch any problems here as you say in the commit message. But to fix I suggest a single line change to strlcpy(c->name, name, sizeof(c->name)) which always null terminates as bonus. Probably same in i915_vma_coredump_create() which with strncpy would have a theoretical chance of attempting to copy over a non-null-terminated string. Regards, Tvrtko > c->vma = vma; /* reference held while active */ > > c->next = next; >
On Thu, 16 Sep 2021, Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> wrote: > On 15/09/2021 20:23, Tim Gardner wrote: >> In capture_vma() Coverity complains of a possible buffer overrun. Even >> though this is a static function where all call sites can be checked, >> limiting the copy length could save some future grief. >> >> CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) >> 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name >> by copying name without checking the length. >> 5. parameter_as_source: Note: This defect has an elevated risk because the >> source argument is a parameter of the current function. >> 1326 strcpy(c->name, name); >> >> Fix any possible overflows by using strncpy(). Zero fill the name buffer to >> guarantee ASCII string NULL termination. >> >> Cc: Jani Nikula <jani.nikula@linux.intel.com> >> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> >> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> >> Cc: David Airlie <airlied@linux.ie> >> Cc: Daniel Vetter <daniel@ffwll.ch> >> Cc: intel-gfx@lists.freedesktop.org >> Cc: dri-devel@lists.freedesktop.org >> Cc: linux-kernel@vger.kernel.org >> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> >> --- >> drivers/gpu/drm/i915/i915_gpu_error.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c >> index 9cf6ac575de1..154df174e2d7 100644 >> --- a/drivers/gpu/drm/i915/i915_gpu_error.c >> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c >> @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, >> return simulated; >> } >> >> +#define VMA_NAME_LEN 16 >> struct intel_engine_capture_vma { >> struct intel_engine_capture_vma *next; >> struct i915_vma *vma; >> - char name[16]; >> + char name[VMA_NAME_LEN]; >> }; >> >> static struct intel_engine_capture_vma * >> @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, >> if (!vma) >> return next; >> >> - c = kmalloc(sizeof(*c), gfp); >> + c = kzalloc(sizeof(*c), gfp); >> if (!c) >> return next; >> >> @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, >> return next; >> } >> >> - strcpy(c->name, name); >> + strncpy(c->name, name, VMA_NAME_LEN-1); > > GCC is supposed to catch any problems here as you say in the commit message. > > But to fix I suggest a single line change to strlcpy(c->name, name, > sizeof(c->name)) which always null terminates as bonus. strscpy() is preferred over both strncpy() and strlcpy(). :) BR, Jani. > > Probably same in i915_vma_coredump_create() which with strncpy would > have a theoretical chance of attempting to copy over a > non-null-terminated string. > > Regards, > > Tvrtko > >> c->vma = vma; /* reference held while active */ >> >> c->next = next; >>
On 9/16/21 4:43 AM, Jani Nikula wrote: > On Thu, 16 Sep 2021, Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> wrote: >> On 15/09/2021 20:23, Tim Gardner wrote: >>> In capture_vma() Coverity complains of a possible buffer overrun. Even >>> though this is a static function where all call sites can be checked, >>> limiting the copy length could save some future grief. >>> >>> CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) >>> 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name >>> by copying name without checking the length. >>> 5. parameter_as_source: Note: This defect has an elevated risk because the >>> source argument is a parameter of the current function. >>> 1326 strcpy(c->name, name); >>> >>> Fix any possible overflows by using strncpy(). Zero fill the name buffer to >>> guarantee ASCII string NULL termination. >>> >>> Cc: Jani Nikula <jani.nikula@linux.intel.com> >>> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> >>> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> >>> Cc: David Airlie <airlied@linux.ie> >>> Cc: Daniel Vetter <daniel@ffwll.ch> >>> Cc: intel-gfx@lists.freedesktop.org >>> Cc: dri-devel@lists.freedesktop.org >>> Cc: linux-kernel@vger.kernel.org >>> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> >>> --- >>> drivers/gpu/drm/i915/i915_gpu_error.c | 7 ++++--- >>> 1 file changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c >>> index 9cf6ac575de1..154df174e2d7 100644 >>> --- a/drivers/gpu/drm/i915/i915_gpu_error.c >>> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c >>> @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, >>> return simulated; >>> } >>> >>> +#define VMA_NAME_LEN 16 >>> struct intel_engine_capture_vma { >>> struct intel_engine_capture_vma *next; >>> struct i915_vma *vma; >>> - char name[16]; >>> + char name[VMA_NAME_LEN]; >>> }; >>> >>> static struct intel_engine_capture_vma * >>> @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, >>> if (!vma) >>> return next; >>> >>> - c = kmalloc(sizeof(*c), gfp); >>> + c = kzalloc(sizeof(*c), gfp); >>> if (!c) >>> return next; >>> >>> @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, >>> return next; >>> } >>> >>> - strcpy(c->name, name); >>> + strncpy(c->name, name, VMA_NAME_LEN-1); >> >> GCC is supposed to catch any problems here as you say in the commit message. >> >> But to fix I suggest a single line change to strlcpy(c->name, name, >> sizeof(c->name)) which always null terminates as bonus. > > strscpy() is preferred over both strncpy() and strlcpy(). :) > > BR, > Jani. > Good call. v2 on the way. rtg >> >> Probably same in i915_vma_coredump_create() which with strncpy would >> have a theoretical chance of attempting to copy over a >> non-null-terminated string. >> >> Regards, >> >> Tvrtko >> >>> c->vma = vma; /* reference held while active */ >>> >>> c->next = next; >>> >
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 9cf6ac575de1..154df174e2d7 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, return simulated; } +#define VMA_NAME_LEN 16 struct intel_engine_capture_vma { struct intel_engine_capture_vma *next; struct i915_vma *vma; - char name[16]; + char name[VMA_NAME_LEN]; }; static struct intel_engine_capture_vma * @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, if (!vma) return next; - c = kmalloc(sizeof(*c), gfp); + c = kzalloc(sizeof(*c), gfp); if (!c) return next; @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, return next; } - strcpy(c->name, name); + strncpy(c->name, name, VMA_NAME_LEN-1); c->vma = vma; /* reference held while active */ c->next = next;
In capture_vma() Coverity complains of a possible buffer overrun. Even though this is a static function where all call sites can be checked, limiting the copy length could save some future grief. CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name by copying name without checking the length. 5. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 1326 strcpy(c->name, name); Fix any possible overflows by using strncpy(). Zero fill the name buffer to guarantee ASCII string NULL termination. Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: intel-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- drivers/gpu/drm/i915/i915_gpu_error.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)