From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= <ville.syrjala@linux.intel.com>
Subject: Re: [PATCH] drm: Prevent overwriting from userspace underallocating
 core ioctl structs
Date: Wed, 16 Oct 2013 13:38:39 +0300
Message-ID: <20131016103839.GW13047@intel.com>
References: <1381913342-17634-1-git-send-email-chris@chris-wilson.co.uk>
 <1381918964-2797-1-git-send-email-chris@chris-wilson.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Return-path: <stable-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <1381918964-2797-1-git-send-email-chris@chris-wilson.co.uk>
Sender: stable-owner@vger.kernel.org
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: dri-devel@lists.freedesktop.org, Dave Airlie <airlied@redhat.com>, stable@vger.kernel.org
List-Id: dri-devel@lists.freedesktop.org

On Wed, Oct 16, 2013 at 11:22:44AM +0100, Chris Wilson wrote:
> Apply the protections from
>=20
> commit 1b2f1489633888d4a06028315dc19d65768a1c05
> Author: Dave Airlie <airlied@redhat.com>
> Date:   Sat Aug 14 20:20:34 2010 +1000
>=20
>     drm: block userspace under allocating buffer and having drivers o=
verwrite it (v2)
>=20
> to the core ioctl structs as well, for we found one instance where th=
ere
> is a 32-/64-bit size mismatch and were guilty of writing beyond the e=
nd
> of the user's buffer.
>=20
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Dave Airlie <airlied@redhat.com>
> Cc: Ville Syrj=E4l=E4 <ville.syrjala@linux.intel.com>
> Cc: dri-devel@lists.freedesktop.org
> Cc: stable@vger.kernel.org

Looks good.

Reviewed-by: Ville Syrj=E4l=E4 <ville.syrjala@linux.intel.com>

> ---
>  drivers/gpu/drm/drm_drv.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>=20
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index e572dd20bdee..05ad9ba0a67e 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -402,9 +402,16 @@ long drm_ioctl(struct file *filp,
>  		cmd =3D ioctl->cmd_drv;
>  	}
>  	else if ((nr >=3D DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
> +		u32 drv_size;
> +
>  		ioctl =3D &drm_ioctls[nr];
> -		cmd =3D ioctl->cmd;
> +
> +		drv_size =3D _IOC_SIZE(ioctl->cmd);
>  		usize =3D asize =3D _IOC_SIZE(cmd);
> +		if (drv_size > asize)
> +			asize =3D drv_size;
> +
> +		cmd =3D ioctl->cmd;
>  	} else
>  		goto err_i1;
> =20
> --=20
> 1.8.4.rc3

--=20
Ville Syrj=E4l=E4
Intel OTC