From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Wed, 09 May 2018 07:22:49 +0000 Subject: [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Message-Id: <20180509072249.GA12754@mwanda> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Gustavo Padovan , David Herrmann Cc: David Airlie , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org There is a comment here which says that DIV_ROUND_UP() and that's where the problem comes from. Say you pick: args->bpp = UINT_MAX - 7; args->width = 4; args->height = 1; The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and because of how we picked args->width that means cpp < UINT_MAX / 4. Signed-off-by: Dan Carpenter --- Btw, DIV_ROUND_UP() integer overflows have been a recurring source of bugs so I have an unreleased static checker warning specific for that. This line triggers three warnings for me on my unreleased code: drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: negative user subtract: 0-u32max - 1 drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow from user '(args->bpp) + (8)' drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow in 'DIV_ROUND_UP' It's a pretty common idiom in the kernel to overflow and then test for it later so I'm not able to release this code because of the number of false positives that this idiom causes... diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c index 39ac15ce4702..45b0b5bbb5f8 100644 --- a/drivers/gpu/drm/drm_dumb_buffers.c +++ b/drivers/gpu/drm/drm_dumb_buffers.c @@ -65,7 +65,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev, return -EINVAL; /* overflow checks for 32bit size calculations */ - /* NOTE: DIV_ROUND_UP() can overflow */ + if (args->bpp > UINT_MAX - 8) + return -EINVAL; cpp = DIV_ROUND_UP(args->bpp, 8); if (!cpp || cpp > 0xffffffffU / args->width) return -EINVAL; From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Date: Wed, 9 May 2018 10:22:49 +0300 Message-ID: <20180509072249.GA12754@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) by gabe.freedesktop.org (Postfix) with ESMTPS id 0694A6E78A for ; Wed, 9 May 2018 07:23:07 +0000 (UTC) Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Gustavo Padovan , David Herrmann Cc: David Airlie , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org VGhlcmUgaXMgYSBjb21tZW50IGhlcmUgd2hpY2ggc2F5cyB0aGF0IERJVl9ST1VORF9VUCgpIGFu ZCB0aGF0J3Mgd2hlcmUKdGhlIHByb2JsZW0gY29tZXMgZnJvbS4gIFNheSB5b3UgcGljazoKCglh cmdzLT5icHAgPSBVSU5UX01BWCAtIDc7CglhcmdzLT53aWR0aCA9IDQ7CglhcmdzLT5oZWlnaHQg PSAxOwoKVGhlIGludGVnZXIgb3ZlcmZsb3cgaW4gRElWX1JPVU5EX1VQKCkgbWVhbnMgImNwcCIg aXMgVUlOVF9NQVggLyA4IGFuZApiZWNhdXNlIG9mIGhvdyB3ZSBwaWNrZWQgYXJncy0+d2lkdGgg dGhhdCBtZWFucyBjcHAgPCBVSU5UX01BWCAvIDQuCgpTaWduZWQtb2ZmLWJ5OiBEYW4gQ2FycGVu dGVyIDxkYW4uY2FycGVudGVyQG9yYWNsZS5jb20+Ci0tLQpCdHcsIERJVl9ST1VORF9VUCgpIGlu dGVnZXIgb3ZlcmZsb3dzIGhhdmUgYmVlbiBhIHJlY3VycmluZyBzb3VyY2Ugb2YKYnVncyBzbyBJ IGhhdmUgYW4gdW5yZWxlYXNlZCBzdGF0aWMgY2hlY2tlciB3YXJuaW5nIHNwZWNpZmljIGZvciB0 aGF0LgpUaGlzIGxpbmUgdHJpZ2dlcnMgdGhyZWUgd2FybmluZ3MgZm9yIG1lIG9uIG15IHVucmVs ZWFzZWQgY29kZToKCmRyaXZlcnMvZ3B1L2RybS9kcm1fZHVtYl9idWZmZXJzLmM6NjkgZHJtX21v ZGVfY3JlYXRlX2R1bWJfaW9jdGwoKSB3YXJuOiBuZWdhdGl2ZSB1c2VyIHN1YnRyYWN0OiAwLXUz Mm1heCAtIDEKZHJpdmVycy9ncHUvZHJtL2RybV9kdW1iX2J1ZmZlcnMuYzo2OSBkcm1fbW9kZV9j cmVhdGVfZHVtYl9pb2N0bCgpIHdhcm46IHBvdGVudGlhbCBpbnRlZ2VyIG92ZXJmbG93IGZyb20g dXNlciAnKGFyZ3MtPmJwcCkgKyAoOCknCmRyaXZlcnMvZ3B1L2RybS9kcm1fZHVtYl9idWZmZXJz LmM6NjkgZHJtX21vZGVfY3JlYXRlX2R1bWJfaW9jdGwoKSB3YXJuOiBwb3RlbnRpYWwgaW50ZWdl ciBvdmVyZmxvdyBpbiAnRElWX1JPVU5EX1VQJwoKSXQncyBhIHByZXR0eSBjb21tb24gaWRpb20g aW4gdGhlIGtlcm5lbCB0byBvdmVyZmxvdyBhbmQgdGhlbiB0ZXN0IGZvcgppdCBsYXRlciBzbyBJ J20gbm90IGFibGUgdG8gcmVsZWFzZSB0aGlzIGNvZGUgYmVjYXVzZSBvZiB0aGUgbnVtYmVyIG9m CmZhbHNlIHBvc2l0aXZlcyB0aGF0IHRoaXMgaWRpb20gY2F1c2VzLi4uCgpkaWZmIC0tZ2l0IGEv ZHJpdmVycy9ncHUvZHJtL2RybV9kdW1iX2J1ZmZlcnMuYyBiL2RyaXZlcnMvZ3B1L2RybS9kcm1f ZHVtYl9idWZmZXJzLmMKaW5kZXggMzlhYzE1Y2U0NzAyLi40NWIwYjViYmI1ZjggMTAwNjQ0Ci0t LSBhL2RyaXZlcnMvZ3B1L2RybS9kcm1fZHVtYl9idWZmZXJzLmMKKysrIGIvZHJpdmVycy9ncHUv ZHJtL2RybV9kdW1iX2J1ZmZlcnMuYwpAQCAtNjUsNyArNjUsOCBAQCBpbnQgZHJtX21vZGVfY3Jl YXRlX2R1bWJfaW9jdGwoc3RydWN0IGRybV9kZXZpY2UgKmRldiwKIAkJcmV0dXJuIC1FSU5WQUw7 CiAKIAkvKiBvdmVyZmxvdyBjaGVja3MgZm9yIDMyYml0IHNpemUgY2FsY3VsYXRpb25zICovCi0J LyogTk9URTogRElWX1JPVU5EX1VQKCkgY2FuIG92ZXJmbG93ICovCisJaWYgKGFyZ3MtPmJwcCA+ IFVJTlRfTUFYIC0gOCkKKwkJcmV0dXJuIC1FSU5WQUw7CiAJY3BwID0gRElWX1JPVU5EX1VQKGFy Z3MtPmJwcCwgOCk7CiAJaWYgKCFjcHAgfHwgY3BwID4gMHhmZmZmZmZmZlUgLyBhcmdzLT53aWR0 aCkKIAkJcmV0dXJuIC1FSU5WQUw7Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVk ZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZv L2RyaS1kZXZlbAo=