From patchwork Fri Nov 15 09:21:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Vetter X-Patchwork-Id: 11245431 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 83F98159A for ; Fri, 15 Nov 2019 09:21:40 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6C3A12073A for ; Fri, 15 Nov 2019 09:21:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6C3A12073A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A91DB6E209; Fri, 15 Nov 2019 09:21:32 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) by gabe.freedesktop.org (Postfix) with ESMTPS id E48DB6E1A7 for ; Fri, 15 Nov 2019 09:21:28 +0000 (UTC) Received: by mail-wr1-x442.google.com with SMTP id i10so10143380wrs.7 for ; Fri, 15 Nov 2019 01:21:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7+oPDeQqF7gn0t6Wu9eF8AtGPXsaZV+oIAe4ESZB4+I=; b=hqAdFuXXKLEvAOqfiTxWQD2V2J1iI9B3D/VA+drFgxq1+mEEj1M5vTFu+RKeONgcEk UQCaxAOfXTrPveKOdl4C2/0b6esP5n9AwsuV4xfitlRwtYsVNLwG6e/NYeoSJO6FG0yQ CPf7g24SXRqJmWepAqrWBVJ7+7U8m7gCZD2Q3d+Ay+odgtHdwax/AmXLzMg0Xw6nLqat cUjEWoixoT4zxOK+GFCkBfZZBYc2pfbno5GFl3zswPtUt6sY8B7nOmzngGg/4pAkHW+2 KQQ7wZ8Yqdta9KafBvepFW2ZqqHjxdA9ErUv1+YtCxenGTaspLiEyOo42QN8SPh6Rxqc 6vBw== X-Gm-Message-State: APjAAAWfwZ6vlUl5kf9n6eMeKBjg1Ag+iQf6yYRcXRnZwaQkxnBqfmIT Um41lIrVAgtOtgB1rug2yWWLrQ== X-Google-Smtp-Source: APXvYqy4xQOZIjeRbauUeqQKIO8M/6NlQDaBlz50R0hcYWTelYUpaPnZumvxvO0yNNTq4Y5vMVVoRw== X-Received: by 2002:a5d:4986:: with SMTP id r6mr13987202wrq.307.1573809687576; Fri, 15 Nov 2019 01:21:27 -0800 (PST) Received: from phenom.ffwll.local (212-51-149-96.fiber7.init7.net. [212.51.149.96]) by smtp.gmail.com with ESMTPSA id 11sm8987506wmi.8.2019.11.15.01.21.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Nov 2019 01:21:26 -0800 (PST) From: Daniel Vetter To: DRI Development Date: Fri, 15 Nov 2019 10:21:13 +0100 Message-Id: <20191115092120.4445-2-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191115092120.4445-1-daniel.vetter@ffwll.ch> References: <20191115092120.4445-1-daniel.vetter@ffwll.ch> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7+oPDeQqF7gn0t6Wu9eF8AtGPXsaZV+oIAe4ESZB4+I=; b=D1nMy3OrU401MPI+aJZ+9RnFH1JLI19Pbqk42mTKBhcMlgKtLA87cGuH13UiQs3a+y cYVXByY15jz0APl458Cwg/vaesaf/W1SQQjRskOuxfz62Ng47WsHp1egIzSHBPFJgXDH dyFiokb2LcYIVOHet1ybxdy9ztV5RfTRvP73w= Subject: [Intel-gfx] [PATCH 1/8] drm/fb: More paranoia in addfb checks X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Vetter , Daniel Vetter , Intel Graphics Development , Pekka Paalanen Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" - Our limit is uint32_t, make that explicit. - Untangle the one overflow check, I think (but not sure) that with all three together you could overflow the uint64_t and it'd look cool again. Hence two steps. Also go with the more common (and imo safer approach) of reducing the range we accept, instead of trying to compute the overflow in high enough precision. - The above would blow up if we get a 0 pitches, so check for that too, but only if block_size is a thing. Cc: Pekka Paalanen Signed-off-by: Daniel Vetter --- drivers/gpu/drm/drm_framebuffer.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c index 57564318ceea..3141c6ed6dd2 100644 --- a/drivers/gpu/drm/drm_framebuffer.c +++ b/drivers/gpu/drm/drm_framebuffer.c @@ -214,15 +214,20 @@ static int framebuffer_check(struct drm_device *dev, return -EINVAL; } - if (min_pitch > UINT_MAX) + if (min_pitch > U8_MAX) return -ERANGE; - if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) - return -ERANGE; + if (block_size) { + if (r->pitches[i] < min_pitch) { + DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i); + return -EINVAL; + } - if (block_size && r->pitches[i] < min_pitch) { - DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i); - return -EINVAL; + if (height > U8_MAX / r->pitches[i]) + return -ERANGE; + + if (r->offsets[i] > U8_MAX / r->pitches[i] - height) + return -ERANGE; } if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {