From patchwork Mon Nov 11 14:23:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Zimmermann X-Patchwork-Id: 13870860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CDA1CD2E9FF for ; Mon, 11 Nov 2024 14:31:23 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id CA63610E4D3; Mon, 11 Nov 2024 14:31:21 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.b="cisjVO2r"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="hUnbruna"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="cisjVO2r"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="hUnbruna"; dkim-atps=neutral Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by gabe.freedesktop.org (Postfix) with ESMTPS id CACE910E4D1 for ; Mon, 11 Nov 2024 14:31:20 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 893FD1F38F; Mon, 11 Nov 2024 14:31:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1731335479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RmqTy4Ji0VdfJoCRO7fyir1AA6UMizO/yN2t537BzuU=; b=cisjVO2rcd/29HWLvn0Vx1gIH99I4yXPxK1WlWHv7hVCa5G1dq1f8tzvXjv3P1PWE0vfhp b9ayaPKcsaQYd4h7dt/baoAj2nGsKGT4qNoTtdoCrXXk7K/Qq/+hssohtIGTOuDeE5eNLv ZzP9Yv+cRadaeKgDIBYtcFQQfJsL9+s= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1731335479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RmqTy4Ji0VdfJoCRO7fyir1AA6UMizO/yN2t537BzuU=; b=hUnbrunapiuuGsnC/ttYj/V3Nf6A7/+rkJPBuqI9v0vspesLdt8iLqwc61DrQZkK7fA8Nt Rzbjvi70FE5iMUCA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1731335479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RmqTy4Ji0VdfJoCRO7fyir1AA6UMizO/yN2t537BzuU=; b=cisjVO2rcd/29HWLvn0Vx1gIH99I4yXPxK1WlWHv7hVCa5G1dq1f8tzvXjv3P1PWE0vfhp b9ayaPKcsaQYd4h7dt/baoAj2nGsKGT4qNoTtdoCrXXk7K/Qq/+hssohtIGTOuDeE5eNLv ZzP9Yv+cRadaeKgDIBYtcFQQfJsL9+s= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1731335479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RmqTy4Ji0VdfJoCRO7fyir1AA6UMizO/yN2t537BzuU=; b=hUnbrunapiuuGsnC/ttYj/V3Nf6A7/+rkJPBuqI9v0vspesLdt8iLqwc61DrQZkK7fA8Nt Rzbjvi70FE5iMUCA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 45CCD13A17; Mon, 11 Nov 2024 14:31:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 2D/ODzcVMmeWaAAAD6G6ig (envelope-from ); Mon, 11 Nov 2024 14:31:19 +0000 From: Thomas Zimmermann To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, airlied@gmail.com, simona@ffwll.ch, p.zabel@pengutronix.de Cc: dri-devel@lists.freedesktop.org, imx@lists.linux.dev, Thomas Zimmermann Subject: [PATCH 1/5] drm/dumb-buffers: Sanitize output on errors Date: Mon, 11 Nov 2024 15:23:03 +0100 Message-ID: <20241111143114.631690-2-tzimmermann@suse.de> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241111143114.631690-1-tzimmermann@suse.de> References: <20241111143114.631690-1-tzimmermann@suse.de> MIME-Version: 1.0 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_TO(0.00)[linux.intel.com,kernel.org,gmail.com,ffwll.ch,pengutronix.de]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCPT_COUNT_SEVEN(0.00)[8]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_DN_SOME(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The ioctls MODE_CREATE_DUMB and MODE_MAP_DUMB return results into a memory buffer supplied by user space. On errors, it is possible that intermediate values are being returned. The exact semantics depends on the DRM driver's implementation of these ioctls. Although this is most-likely not a security problem in practice, avoid any uncertainty by clearing the memory to 0 on errors. Signed-off-by: Thomas Zimmermann --- drivers/gpu/drm/drm_dumb_buffers.c | 40 ++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c index 70032bba1c97..9916aaf5b3f2 100644 --- a/drivers/gpu/drm/drm_dumb_buffers.c +++ b/drivers/gpu/drm/drm_dumb_buffers.c @@ -99,7 +99,30 @@ int drm_mode_create_dumb(struct drm_device *dev, int drm_mode_create_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { - return drm_mode_create_dumb(dev, data, file_priv); + struct drm_mode_create_dumb *args = data; + int err; + + err = drm_mode_create_dumb(dev, args, file_priv); + if (err) { + args->handle = 0; + args->pitch = 0; + args->size = 0; + } + return err; +} + +static int drm_mode_mmap_dumb(struct drm_device *dev, struct drm_mode_map_dumb *args, + struct drm_file *file_priv) +{ + if (!dev->driver->dumb_create) + return -ENOSYS; + + if (dev->driver->dumb_map_offset) + return dev->driver->dumb_map_offset(file_priv, dev, args->handle, + &args->offset); + else + return drm_gem_dumb_map_offset(file_priv, dev, args->handle, + &args->offset); } /** @@ -120,17 +143,12 @@ int drm_mode_mmap_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_mode_map_dumb *args = data; + int err; - if (!dev->driver->dumb_create) - return -ENOSYS; - - if (dev->driver->dumb_map_offset) - return dev->driver->dumb_map_offset(file_priv, dev, - args->handle, - &args->offset); - else - return drm_gem_dumb_map_offset(file_priv, dev, args->handle, - &args->offset); + err = drm_mode_mmap_dumb(dev, args, file_priv); + if (err) + args->offset = 0; + return err; } int drm_mode_destroy_dumb(struct drm_device *dev, u32 handle,