From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: dri-devel@lists.freedesktop.org, Dave Airlie <airlied@redhat.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] drm: Prevent overwriting from userspace underallocating core ioctl structs
Date: Wed, 16 Oct 2013 13:38:39 +0300 [thread overview]
Message-ID: <20131016103839.GW13047@intel.com> (raw)
In-Reply-To: <1381918964-2797-1-git-send-email-chris@chris-wilson.co.uk>
On Wed, Oct 16, 2013 at 11:22:44AM +0100, Chris Wilson wrote:
> Apply the protections from
>
> commit 1b2f1489633888d4a06028315dc19d65768a1c05
> Author: Dave Airlie <airlied@redhat.com>
> Date: Sat Aug 14 20:20:34 2010 +1000
>
> drm: block userspace under allocating buffer and having drivers overwrite it (v2)
>
> to the core ioctl structs as well, for we found one instance where there
> is a 32-/64-bit size mismatch and were guilty of writing beyond the end
> of the user's buffer.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Dave Airlie <airlied@redhat.com>
> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Cc: dri-devel@lists.freedesktop.org
> Cc: stable@vger.kernel.org
Looks good.
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> ---
> drivers/gpu/drm/drm_drv.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index e572dd20bdee..05ad9ba0a67e 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -402,9 +402,16 @@ long drm_ioctl(struct file *filp,
> cmd = ioctl->cmd_drv;
> }
> else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
> + u32 drv_size;
> +
> ioctl = &drm_ioctls[nr];
> - cmd = ioctl->cmd;
> +
> + drv_size = _IOC_SIZE(ioctl->cmd);
> usize = asize = _IOC_SIZE(cmd);
> + if (drv_size > asize)
> + asize = drv_size;
> +
> + cmd = ioctl->cmd;
> } else
> goto err_i1;
>
> --
> 1.8.4.rc3
--
Ville Syrjälä
Intel OTC
prev parent reply other threads:[~2013-10-16 10:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-16 8:49 [PATCH] drm: Pad drm_mode_get_connector to 64-bit boundary Chris Wilson
2013-10-16 10:09 ` Ville Syrjälä
2013-10-17 13:37 ` Ben Hutchings
2013-10-16 10:14 ` Jani Nikula
2013-10-16 10:24 ` Chris Wilson
2013-10-16 10:54 ` Jani Nikula
2013-10-16 10:22 ` [PATCH] drm: Prevent overwriting from userspace underallocating core ioctl structs Chris Wilson
2013-10-16 10:38 ` Ville Syrjälä [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131016103839.GW13047@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=airlied@redhat.com \
--cc=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.