From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 16 May 2018 14:00:26 +0000
Subject: [PATCH v2] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl()
Message-Id: <20180516140026.GA19340@mwanda>
List-Id: <kernel-janitors.vger.kernel.org>
References: <152585393757.3513.738158010667924495@mail.alporthouse.com>
In-Reply-To: <152585393757.3513.738158010667924495@mail.alporthouse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Gustavo Padovan <gustavo@padovan.org>
Cc: David Airlie <airlied@linux.ie>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org

There is a comment here which says that DIV_ROUND_UP() and that's where
the problem comes from.  Say you pick:

	args->bpp = UINT_MAX - 7;
	args->width = 4;
	args->height = 1;

The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and
because of how we picked args->width that means cpp < UINT_MAX / 4.

I've fixed it by preventing the integer overflow in DIV_ROUND_UP().  I
removed the check for !cpp because it's not possible after this change.
I also changed all the 0xffffffffU references to U32_MAX.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2:  additional cleanups

diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c
index 39ac15ce4702..9e2ae02f31e0 100644
--- a/drivers/gpu/drm/drm_dumb_buffers.c
+++ b/drivers/gpu/drm/drm_dumb_buffers.c
@@ -65,12 +65,13 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
 		return -EINVAL;
 
 	/* overflow checks for 32bit size calculations */
-	/* NOTE: DIV_ROUND_UP() can overflow */
+	if (args->bpp > U32_MAX - 8)
+		return -EINVAL;
 	cpp = DIV_ROUND_UP(args->bpp, 8);
-	if (!cpp || cpp > 0xffffffffU / args->width)
+	if (cpp > U32_MAX / args->width)
 		return -EINVAL;
 	stride = cpp * args->width;
-	if (args->height > 0xffffffffU / stride)
+	if (args->height > U32_MAX / stride)
 		return -EINVAL;
 
 	/* test for wrap-around */

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH v2] drm/dumb-buffers: Integer overflow in
 drm_mode_create_ioctl()
Date: Wed, 16 May 2018 17:00:26 +0300
Message-ID: <20180516140026.GA19340@mwanda>
References: <152585393757.3513.738158010667924495@mail.alporthouse.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86])
 by gabe.freedesktop.org (Postfix) with ESMTPS id D83C56E41E
 for <dri-devel@lists.freedesktop.org>; Wed, 16 May 2018 14:00:46 +0000 (UTC)
Content-Disposition: inline
In-Reply-To: <152585393757.3513.738158010667924495@mail.alporthouse.com>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: Gustavo Padovan <gustavo@padovan.org>
Cc: David Airlie <airlied@linux.ie>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

VGhlcmUgaXMgYSBjb21tZW50IGhlcmUgd2hpY2ggc2F5cyB0aGF0IERJVl9ST1VORF9VUCgpIGFu
ZCB0aGF0J3Mgd2hlcmUKdGhlIHByb2JsZW0gY29tZXMgZnJvbS4gIFNheSB5b3UgcGljazoKCglh
cmdzLT5icHAgPSBVSU5UX01BWCAtIDc7CglhcmdzLT53aWR0aCA9IDQ7CglhcmdzLT5oZWlnaHQg
PSAxOwoKVGhlIGludGVnZXIgb3ZlcmZsb3cgaW4gRElWX1JPVU5EX1VQKCkgbWVhbnMgImNwcCIg
aXMgVUlOVF9NQVggLyA4IGFuZApiZWNhdXNlIG9mIGhvdyB3ZSBwaWNrZWQgYXJncy0+d2lkdGgg
dGhhdCBtZWFucyBjcHAgPCBVSU5UX01BWCAvIDQuCgpJJ3ZlIGZpeGVkIGl0IGJ5IHByZXZlbnRp
bmcgdGhlIGludGVnZXIgb3ZlcmZsb3cgaW4gRElWX1JPVU5EX1VQKCkuICBJCnJlbW92ZWQgdGhl
IGNoZWNrIGZvciAhY3BwIGJlY2F1c2UgaXQncyBub3QgcG9zc2libGUgYWZ0ZXIgdGhpcyBjaGFu
Z2UuCkkgYWxzbyBjaGFuZ2VkIGFsbCB0aGUgMHhmZmZmZmZmZlUgcmVmZXJlbmNlcyB0byBVMzJf
TUFYLgoKU2lnbmVkLW9mZi1ieTogRGFuIENhcnBlbnRlciA8ZGFuLmNhcnBlbnRlckBvcmFjbGUu
Y29tPgotLS0KdjI6ICBhZGRpdGlvbmFsIGNsZWFudXBzCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9n
cHUvZHJtL2RybV9kdW1iX2J1ZmZlcnMuYyBiL2RyaXZlcnMvZ3B1L2RybS9kcm1fZHVtYl9idWZm
ZXJzLmMKaW5kZXggMzlhYzE1Y2U0NzAyLi45ZTJhZTAyZjMxZTAgMTAwNjQ0Ci0tLSBhL2RyaXZl
cnMvZ3B1L2RybS9kcm1fZHVtYl9idWZmZXJzLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL2RybV9k
dW1iX2J1ZmZlcnMuYwpAQCAtNjUsMTIgKzY1LDEzIEBAIGludCBkcm1fbW9kZV9jcmVhdGVfZHVt
Yl9pb2N0bChzdHJ1Y3QgZHJtX2RldmljZSAqZGV2LAogCQlyZXR1cm4gLUVJTlZBTDsKIAogCS8q
IG92ZXJmbG93IGNoZWNrcyBmb3IgMzJiaXQgc2l6ZSBjYWxjdWxhdGlvbnMgKi8KLQkvKiBOT1RF
OiBESVZfUk9VTkRfVVAoKSBjYW4gb3ZlcmZsb3cgKi8KKwlpZiAoYXJncy0+YnBwID4gVTMyX01B
WCAtIDgpCisJCXJldHVybiAtRUlOVkFMOwogCWNwcCA9IERJVl9ST1VORF9VUChhcmdzLT5icHAs
IDgpOwotCWlmICghY3BwIHx8IGNwcCA+IDB4ZmZmZmZmZmZVIC8gYXJncy0+d2lkdGgpCisJaWYg
KGNwcCA+IFUzMl9NQVggLyBhcmdzLT53aWR0aCkKIAkJcmV0dXJuIC1FSU5WQUw7CiAJc3RyaWRl
ID0gY3BwICogYXJncy0+d2lkdGg7Ci0JaWYgKGFyZ3MtPmhlaWdodCA+IDB4ZmZmZmZmZmZVIC8g
c3RyaWRlKQorCWlmIChhcmdzLT5oZWlnaHQgPiBVMzJfTUFYIC8gc3RyaWRlKQogCQlyZXR1cm4g
LUVJTlZBTDsKIAogCS8qIHRlc3QgZm9yIHdyYXAtYXJvdW5kICovCl9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJp
LWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9y
Zy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo=