From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= Subject: Re: [PATCH] drm: Restrict ioctl size to kernel struct size Date: Tue, 22 Oct 2013 13:40:04 +0300 Message-ID: <20131022104004.GE13047@intel.com> References: <20131017001235.3077.92963.stgit@IRBT4585> <1382434683-32048-1-git-send-email-chris@chris-wilson.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by gabe.freedesktop.org (Postfix) with ESMTP id 5DF95E5D7F for ; Tue, 22 Oct 2013 03:40:08 -0700 (PDT) Content-Disposition: inline In-Reply-To: <1382434683-32048-1-git-send-email-chris@chris-wilson.co.uk> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Chris Wilson Cc: Pavel Roskin , dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org On Tue, Oct 22, 2013 at 10:38:03AM +0100, Chris Wilson wrote: > Prevent the user from passing in an ioctl command with up to 16,383 > bytes specified for the struct to be allocated and copied, and > instead only allocate enough space to satisfy the kernel. > = > Suggested-by: Pavel Roskin > Signed-off-by: Chris Wilson > Cc: Pavel Roskin > Cc: dri-devel@lists.freedesktop.org Reviewed-by: Ville Syrj=E4l=E4 > --- > drivers/gpu/drm/drm_drv.c | 30 +++++++++++++----------------- > 1 file changed, 13 insertions(+), 17 deletions(-) > = > diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c > index 05ad9ba0a67e..8c5fbc9d41ad 100644 > --- a/drivers/gpu/drm/drm_drv.c > +++ b/drivers/gpu/drm/drm_drv.c > @@ -354,6 +354,16 @@ static int drm_version(struct drm_device *dev, void = *data, > return err; > } > = > +static unsigned ioctl_size(unsigned kcmd, unsigned ucmd, unsigned *ksize= , unsigned *usize) > +{ > + *ksize =3D _IOC_SIZE(kcmd); > + *usize =3D _IOC_SIZE(ucmd); > + if (*usize > *ksize) > + *usize =3D *ksize; > + > + return kcmd; > +} > + > /** > * Called whenever a process performs an ioctl on /dev/drm. > * > @@ -393,25 +403,11 @@ long drm_ioctl(struct file *filp, > goto err_i1; > if ((nr >=3D DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) && > (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) { > - u32 drv_size; > ioctl =3D &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; > - drv_size =3D _IOC_SIZE(ioctl->cmd_drv); > - usize =3D asize =3D _IOC_SIZE(cmd); > - if (drv_size > asize) > - asize =3D drv_size; > - cmd =3D ioctl->cmd_drv; > - } > - else if ((nr >=3D DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { > - u32 drv_size; > - > + cmd =3D ioctl_size(ioctl->cmd_drv, cmd, &asize, &usize); > + } else if ((nr >=3D DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { > ioctl =3D &drm_ioctls[nr]; > - > - drv_size =3D _IOC_SIZE(ioctl->cmd); > - usize =3D asize =3D _IOC_SIZE(cmd); > - if (drv_size > asize) > - asize =3D drv_size; > - > - cmd =3D ioctl->cmd; > + cmd =3D ioctl_size(ioctl->cmd, cmd, &asize, &usize); > } else > goto err_i1; > = > -- = > 1.8.4.rc3 > = > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/dri-devel -- = Ville Syrj=E4l=E4 Intel OTC