From patchwork Thu Jan 9 14:56:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Zimmermann X-Patchwork-Id: 13932646 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AD0FCE77199 for ; Thu, 9 Jan 2025 15:03:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=OxokNzGeXFdujErwyJX/fdJbJKPwgbiH8ZaeKry5Nao=; b=d3zgUPjASjbG5H BgDqucEl7buJRiuwwbXPM02kPiUP1OMLldzBCSR4b7en1ser7y0i0LixFmCHt0TTnKy9t5kzeJqEe RnFvHnLuhounwSfWCosiYWmq6Kwg5vDANsfSGft3tqx1Io3Wg3HJFRpnxhOY+W3EDfoDMSx2K+ogl dh4tXDGAFVb9XkgWdkxOk3PVFvR46pqlbAKgmeJ5ec1hyFJTWEXQjD8eU2mksKwUqs3oDBjlCYeND 19b37Utz5TsEbG3EjUXxduCmzd/BzADQcgm5SXvQ5nYND64ge/XplIs7kM25wGh2nKwYOv3d7N0tO VEk2PhT7zYP60Mn43MeQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tVu4A-0000000CMJe-0koO; Thu, 09 Jan 2025 15:03:22 +0000 Received: from smtp-out1.suse.de ([2a07:de40:b251:101:10:150:64:1]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tVu46-0000000CMEj-1Prf; Thu, 09 Jan 2025 15:03:20 +0000 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 92E3D21170; Thu, 9 Jan 2025 15:03:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1736434995; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XMCayXhRlBVa7gMSmx9Hm+JQPMIVdDIzBmzoFhpmu5s=; b=Hurt5FPj5gtaGEl7MDFSQr1yjZpTEsC59BHG4sl81e51YGBC1DQIeo8AcObIbwo3t1kyRW BoqzmGAdtH46F1MufUgfFbbg/C7zFLSZhK9CXwNfpYpAx4oe2AgI1X0BqlOkTxLKoGlfvj H4t8+YaDtL6zM63SXCatuXM7OGJUdYA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1736434995; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XMCayXhRlBVa7gMSmx9Hm+JQPMIVdDIzBmzoFhpmu5s=; b=P7GWPruItIQO/YAmOqVTUNOjEqq6hDn8OMiNUSeBq67Bbmrby9vvRjHdXPPWPM4dSAmLLz TXrcaqcF+IF2ulCg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1736434995; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XMCayXhRlBVa7gMSmx9Hm+JQPMIVdDIzBmzoFhpmu5s=; b=Hurt5FPj5gtaGEl7MDFSQr1yjZpTEsC59BHG4sl81e51YGBC1DQIeo8AcObIbwo3t1kyRW BoqzmGAdtH46F1MufUgfFbbg/C7zFLSZhK9CXwNfpYpAx4oe2AgI1X0BqlOkTxLKoGlfvj H4t8+YaDtL6zM63SXCatuXM7OGJUdYA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1736434995; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XMCayXhRlBVa7gMSmx9Hm+JQPMIVdDIzBmzoFhpmu5s=; b=P7GWPruItIQO/YAmOqVTUNOjEqq6hDn8OMiNUSeBq67Bbmrby9vvRjHdXPPWPM4dSAmLLz TXrcaqcF+IF2ulCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 10A3313A8B; Thu, 9 Jan 2025 15:03:15 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id EKDFAjPlf2c1awAAD6G6ig (envelope-from ); Thu, 09 Jan 2025 15:03:15 +0000 From: Thomas Zimmermann To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-mediatek@lists.infradead.org, freedreno@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, imx@lists.linux.dev, linux-samsung-soc@vger.kernel.org, nouveau@lists.freedesktop.org, virtualization@lists.linux.dev, spice-devel@lists.freedesktop.org, linux-renesas-soc@vger.kernel.org, linux-rockchip@lists.infradead.org, linux-tegra@vger.kernel.org, intel-xe@lists.freedesktop.org, xen-devel@lists.xenproject.org, Thomas Zimmermann Subject: [PATCH v2 01/25] drm/dumb-buffers: Sanitize output on errors Date: Thu, 9 Jan 2025 15:56:55 +0100 Message-ID: <20250109150310.219442-2-tzimmermann@suse.de> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250109150310.219442-1-tzimmermann@suse.de> References: <20250109150310.219442-1-tzimmermann@suse.de> MIME-Version: 1.0 X-Spamd-Result: default: False [-1.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWELVE(0.00)[19]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FREEMAIL_TO(0.00)[linux.intel.com,kernel.org,gmail.com,ffwll.ch]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.de:email,suse.de:mid]; TO_DN_SOME(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250109_070318_526455_2337BF9E X-CRM114-Status: GOOD ( 14.06 ) X-BeenThere: linux-rockchip@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Upstream kernel work for Rockchip platforms List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-rockchip" Errors-To: linux-rockchip-bounces+linux-rockchip=archiver.kernel.org@lists.infradead.org The ioctls MODE_CREATE_DUMB and MODE_MAP_DUMB return results into a memory buffer supplied by user space. On errors, it is possible that intermediate values are being returned. The exact semantics depends on the DRM driver's implementation of these ioctls. Although this is most-likely not a security problem in practice, avoid any uncertainty by clearing the memory to 0 on errors. Signed-off-by: Thomas Zimmermann --- drivers/gpu/drm/drm_dumb_buffers.c | 40 ++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c index 70032bba1c97..9916aaf5b3f2 100644 --- a/drivers/gpu/drm/drm_dumb_buffers.c +++ b/drivers/gpu/drm/drm_dumb_buffers.c @@ -99,7 +99,30 @@ int drm_mode_create_dumb(struct drm_device *dev, int drm_mode_create_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { - return drm_mode_create_dumb(dev, data, file_priv); + struct drm_mode_create_dumb *args = data; + int err; + + err = drm_mode_create_dumb(dev, args, file_priv); + if (err) { + args->handle = 0; + args->pitch = 0; + args->size = 0; + } + return err; +} + +static int drm_mode_mmap_dumb(struct drm_device *dev, struct drm_mode_map_dumb *args, + struct drm_file *file_priv) +{ + if (!dev->driver->dumb_create) + return -ENOSYS; + + if (dev->driver->dumb_map_offset) + return dev->driver->dumb_map_offset(file_priv, dev, args->handle, + &args->offset); + else + return drm_gem_dumb_map_offset(file_priv, dev, args->handle, + &args->offset); } /** @@ -120,17 +143,12 @@ int drm_mode_mmap_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_mode_map_dumb *args = data; + int err; - if (!dev->driver->dumb_create) - return -ENOSYS; - - if (dev->driver->dumb_map_offset) - return dev->driver->dumb_map_offset(file_priv, dev, - args->handle, - &args->offset); - else - return drm_gem_dumb_map_offset(file_priv, dev, args->handle, - &args->offset); + err = drm_mode_mmap_dumb(dev, args, file_priv); + if (err) + args->offset = 0; + return err; } int drm_mode_destroy_dumb(struct drm_device *dev, u32 handle,