From patchwork Tue Mar 11 15:47:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Zimmermann X-Patchwork-Id: 14012023 X-Patchwork-Delegate: kieran@bingham.xyz Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FFFD25F7BA for ; Tue, 11 Mar 2025 15:54:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741708497; cv=none; b=E6ek3qGwat4yjoj7KTulIjBv1Q8bu6mzohGjZ8n4o/1BRW2qnUzUm4dIwagKd+W7mWHApJo42nQRWCDbHLba5I3hS2rNBkxSLMWlGgMaecKhRVhkFNnC9LOsMfbnVBPngc7V0LW32Zz1kF07MwC/tBKMOV5y07jF9QaIDRsxkXQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741708497; c=relaxed/simple; bh=tUv/xOMbSXx0aDIZuU+ujcwrFH6aY7dUoxS4ulYg4qk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fvv1RJ9mT9Yd6q8SwSHWkHfZC/sNylhbHVHgxdRlJmEob/HfGmUkt6Eg/9fszx4KY58W5sSTRPIfpP7FO/q7gAZp8ZG24EXRBGT88oWZPX3msmFEH9rVQbAHdLfJiWzO+ZMUIYZiovqbSbe/fm/L6Epf+WM4emp4Z1fsInSAGk4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=MVPMBzoI; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=AfiToXBJ; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=MVPMBzoI; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=AfiToXBJ; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="MVPMBzoI"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="AfiToXBJ"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="MVPMBzoI"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="AfiToXBJ" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 44E8921169; Tue, 11 Mar 2025 15:54:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1741708488; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UdY05RGpAGplzZ4tLpVPI7IOVTC1fiPSy8jcYt8fBIg=; b=MVPMBzoIn3DuWX/e1KhcyxR9UtSkFsxvL4ye6fSQQ4NMeooBVmyH7KMwO3vpDSBa4S8int 7N1iZFnVtBRhYpjnYri2w5b+2TR46hftIVeK/zF053yFRf23TUVd1iE21CrDsW4wxsqRzc SjoGeNTgeJbh5pzfgTBvdlQoRA+GDvE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1741708488; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UdY05RGpAGplzZ4tLpVPI7IOVTC1fiPSy8jcYt8fBIg=; b=AfiToXBJk2NIzIwKPVhvCchsmyY8xE5VSFRMUUO0CJ1oFcnXiovgsIuuJWcmQewXGR8GEt SxykvWNM9nWvLVBQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1741708488; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UdY05RGpAGplzZ4tLpVPI7IOVTC1fiPSy8jcYt8fBIg=; b=MVPMBzoIn3DuWX/e1KhcyxR9UtSkFsxvL4ye6fSQQ4NMeooBVmyH7KMwO3vpDSBa4S8int 7N1iZFnVtBRhYpjnYri2w5b+2TR46hftIVeK/zF053yFRf23TUVd1iE21CrDsW4wxsqRzc SjoGeNTgeJbh5pzfgTBvdlQoRA+GDvE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1741708488; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UdY05RGpAGplzZ4tLpVPI7IOVTC1fiPSy8jcYt8fBIg=; b=AfiToXBJk2NIzIwKPVhvCchsmyY8xE5VSFRMUUO0CJ1oFcnXiovgsIuuJWcmQewXGR8GEt SxykvWNM9nWvLVBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B6FCC13AB8; Tue, 11 Mar 2025 15:54:47 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 0CZbK8dc0GdUdQAAD6G6ig (envelope-from ); Tue, 11 Mar 2025 15:54:47 +0000 From: Thomas Zimmermann To: simona@ffwll.ch, airlied@gmail.com, mripard@kernel.org, maarten.lankhorst@linux.intel.com, geert@linux-m68k.org, tomi.valkeinen@ideasonboard.com Cc: dri-devel@lists.freedesktop.org, linux-mediatek@lists.infradead.org, freedreno@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, imx@lists.linux.dev, linux-samsung-soc@vger.kernel.org, nouveau@lists.freedesktop.org, virtualization@lists.linux.dev, spice-devel@lists.freedesktop.org, linux-renesas-soc@vger.kernel.org, linux-rockchip@lists.infradead.org, linux-tegra@vger.kernel.org, intel-xe@lists.freedesktop.org, xen-devel@lists.xenproject.org, Thomas Zimmermann Subject: [PATCH v4 01/25] drm/dumb-buffers: Sanitize output on errors Date: Tue, 11 Mar 2025 16:47:05 +0100 Message-ID: <20250311155120.442633-2-tzimmermann@suse.de> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250311155120.442633-1-tzimmermann@suse.de> References: <20250311155120.442633-1-tzimmermann@suse.de> Precedence: bulk X-Mailing-List: linux-renesas-soc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-1.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWELVE(0.00)[21]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FREEMAIL_TO(0.00)[ffwll.ch,gmail.com,kernel.org,linux.intel.com,linux-m68k.org,ideasonboard.com]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:email,suse.de:mid,imap1.dmz-prg2.suse.org:helo]; TO_DN_SOME(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-Spam-Score: -1.30 X-Spam-Flag: NO The ioctls MODE_CREATE_DUMB and MODE_MAP_DUMB return results into a memory buffer supplied by user space. On errors, it is possible that intermediate values are being returned. The exact semantics depends on the DRM driver's implementation of these ioctls. Although this is most-likely not a security problem in practice, avoid any uncertainty by clearing the memory to 0 on errors. Signed-off-by: Thomas Zimmermann --- drivers/gpu/drm/drm_dumb_buffers.c | 40 ++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c index 70032bba1c97..9916aaf5b3f2 100644 --- a/drivers/gpu/drm/drm_dumb_buffers.c +++ b/drivers/gpu/drm/drm_dumb_buffers.c @@ -99,7 +99,30 @@ int drm_mode_create_dumb(struct drm_device *dev, int drm_mode_create_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { - return drm_mode_create_dumb(dev, data, file_priv); + struct drm_mode_create_dumb *args = data; + int err; + + err = drm_mode_create_dumb(dev, args, file_priv); + if (err) { + args->handle = 0; + args->pitch = 0; + args->size = 0; + } + return err; +} + +static int drm_mode_mmap_dumb(struct drm_device *dev, struct drm_mode_map_dumb *args, + struct drm_file *file_priv) +{ + if (!dev->driver->dumb_create) + return -ENOSYS; + + if (dev->driver->dumb_map_offset) + return dev->driver->dumb_map_offset(file_priv, dev, args->handle, + &args->offset); + else + return drm_gem_dumb_map_offset(file_priv, dev, args->handle, + &args->offset); } /** @@ -120,17 +143,12 @@ int drm_mode_mmap_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_mode_map_dumb *args = data; + int err; - if (!dev->driver->dumb_create) - return -ENOSYS; - - if (dev->driver->dumb_map_offset) - return dev->driver->dumb_map_offset(file_priv, dev, - args->handle, - &args->offset); - else - return drm_gem_dumb_map_offset(file_priv, dev, args->handle, - &args->offset); + err = drm_mode_mmap_dumb(dev, args, file_priv); + if (err) + args->offset = 0; + return err; } int drm_mode_destroy_dumb(struct drm_device *dev, u32 handle,