From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= Subject: Re: [PATCH v3 23/23] drm/qxl: add overflow checks to qxl_mode_dumb_create() Date: Fri, 18 Jan 2019 18:32:33 +0200 Message-ID: <20190118163233.GM20097@intel.com> References: <20190118122020.27596-1-kraxel@redhat.com> <20190118122020.27596-24-kraxel@redhat.com> <20190118154944.GH3271@phenom.ffwll.local> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <20190118154944.GH3271@phenom.ffwll.local> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: spice-devel-bounces@lists.freedesktop.org Sender: "Spice-devel" To: Gerd Hoffmann , dri-devel@lists.freedesktop.org, Dave Airlie , David Airlie , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , open list List-Id: dri-devel@lists.freedesktop.org T24gRnJpLCBKYW4gMTgsIDIwMTkgYXQgMDQ6NDk6NDRQTSArMDEwMCwgRGFuaWVsIFZldHRlciB3 cm90ZToKPiBPbiBGcmksIEphbiAxOCwgMjAxOSBhdCAwMToyMDoyMFBNICswMTAwLCBHZXJkIEhv ZmZtYW5uIHdyb3RlOgo+ID4gU2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJl ZGhhdC5jb20+Cj4gCj4gV2UgYWxyZWFkeSBkbyBhbGwgcmVhc29uYWJsZSBvdmVyZmxvdyBjaGVj a3MgaW4gZHJtX21vZGVfY3JlYXRlX2R1bWIoKS4gSWYKPiB5b3UgZG9uJ3QgdHJ1c3QgdGhlbSBJ IHRoaW5rIHdvdWxkIGJlIGJldHRlciB0aW1lIHNwZW50IHR5cGluZyBhbiBpZ3QgdG8KPiB0ZXN0 IHRoaXMgdGhhbiBhZGRpbmcgcmVkdW5kYW50IGNoZWNrIGluIGFsbCBkcml2ZXJzLgo+IAo+IFlv dSdyZSBhbHNvIG1pc3Npbmcgb25lIGNoZWNrIGZvciBicHAgdW5kZXJmbG93cyA6LSkKCkJUVyBJ IGp1c3Qgbm90aWNlZCB0aGF0IHdlIGRvbid0IHNlZW0gdG8gdmFsaWRhdGluZyAKY3JlYXRlX2R1 bWItPmZsYWdzIGF0IGFsbC4gU29tZW9uZSBzaG91bGQgcHJvYmFibHkgYWRkIHNvbWUKY2hlY2tz IGZvciB0aGF0LCBvciBtYXJrIGl0IGFzIGRlcHJlY2F0ZWQgaW4gY2FzZSB3ZSBhbHJlYWR5Cmxv c3QgdGhlIGJhdHRsZSB3aXRoIHVzZXJzcGFjZSBzdGFjayBnYXJiYWdlLgoKPiAtRGFuaWVsCj4g Cj4gPiAtLS0KPiA+ICBkcml2ZXJzL2dwdS9kcm0vcXhsL3F4bF9kdW1iLmMgfCAxMCArKysrKyst LS0tCj4gPiAgMSBmaWxlIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkK PiA+IAo+ID4gZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9xeGwvcXhsX2R1bWIuYyBiL2Ry aXZlcnMvZ3B1L2RybS9xeGwvcXhsX2R1bWIuYwo+ID4gaW5kZXggMjcyZDE5YjY3Ny4uYmVkNmQw NmVlNCAxMDA2NDQKPiA+IC0tLSBhL2RyaXZlcnMvZ3B1L2RybS9xeGwvcXhsX2R1bWIuYwo+ID4g KysrIGIvZHJpdmVycy9ncHUvZHJtL3F4bC9xeGxfZHVtYi5jCj4gPiBAQCAtMzcsMTEgKzM3LDEz IEBAIGludCBxeGxfbW9kZV9kdW1iX2NyZWF0ZShzdHJ1Y3QgZHJtX2ZpbGUgKmZpbGVfcHJpdiwK PiA+ICAJdWludDMyX3QgaGFuZGxlOwo+ID4gIAlpbnQgcjsKPiA+ICAJc3RydWN0IHF4bF9zdXJm YWNlIHN1cmY7Cj4gPiAtCXVpbnQzMl90IHBpdGNoLCBmb3JtYXQ7Cj4gPiArCXVpbnQzMl90IHBp dGNoLCBzaXplLCBmb3JtYXQ7Cj4gPiAgCj4gPiAtCXBpdGNoID0gYXJncy0+d2lkdGggKiAoKGFy Z3MtPmJwcCArIDEpIC8gOCk7Cj4gPiAtCWFyZ3MtPnNpemUgPSBwaXRjaCAqIGFyZ3MtPmhlaWdo dDsKPiA+IC0JYXJncy0+c2l6ZSA9IEFMSUdOKGFyZ3MtPnNpemUsIFBBR0VfU0laRSk7Cj4gPiAr CWlmIChjaGVja19tdWxfb3ZlcmZsb3coYXJncy0+d2lkdGgsICgoYXJncy0+YnBwICsgMSkgLyA4 KSwgJnBpdGNoKSkKPiA+ICsJCXJldHVybiAtRUlOVkFMOwo+ID4gKwlpZiAoY2hlY2tfbXVsX292 ZXJmbG93KHBpdGNoLCBhcmdzLT5oZWlnaHQsICZzaXplKSkKPiA+ICsJCXJldHVybiAtRUlOVkFM Owo+ID4gKwlhcmdzLT5zaXplID0gQUxJR04oc2l6ZSwgUEFHRV9TSVpFKTsKPiA+ICAKPiA+ICAJ c3dpdGNoIChhcmdzLT5icHApIHsKPiA+ICAJY2FzZSAxNjoKPiA+IC0tIAo+ID4gMi45LjMKPiA+ IAo+IAo+IC0tIAo+IERhbmllbCBWZXR0ZXIKPiBTb2Z0d2FyZSBFbmdpbmVlciwgSW50ZWwgQ29y cG9yYXRpb24KPiBodHRwOi8vYmxvZy5mZndsbC5jaAo+IF9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fCj4gZHJpLWRldmVsIG1haWxpbmcgbGlzdAo+IGRyaS1k ZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKPiBodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAoKLS0gClZpbGxlIFN5cmrDpGzDpApJbnRlbApf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpTcGljZS1kZXZl bCBtYWlsaW5nIGxpc3QKU3BpY2UtZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8v bGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vc3BpY2UtZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94067C43387 for ; Fri, 18 Jan 2019 16:32:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6D55E20850 for ; Fri, 18 Jan 2019 16:32:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728886AbfARQcm (ORCPT ); Fri, 18 Jan 2019 11:32:42 -0500 Received: from mga06.intel.com ([134.134.136.31]:3667 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728742AbfARQci (ORCPT ); Fri, 18 Jan 2019 11:32:38 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2019 08:32:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,491,1539673200"; d="scan'208";a="127118149" Received: from stinkbox.fi.intel.com (HELO stinkbox) ([10.237.72.174]) by orsmga002.jf.intel.com with SMTP; 18 Jan 2019 08:32:34 -0800 Received: by stinkbox (sSMTP sendmail emulation); Fri, 18 Jan 2019 18:32:33 +0200 Date: Fri, 18 Jan 2019 18:32:33 +0200 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= To: Gerd Hoffmann , dri-devel@lists.freedesktop.org, Dave Airlie , David Airlie , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , open list Subject: Re: [PATCH v3 23/23] drm/qxl: add overflow checks to qxl_mode_dumb_create() Message-ID: <20190118163233.GM20097@intel.com> References: <20190118122020.27596-1-kraxel@redhat.com> <20190118122020.27596-24-kraxel@redhat.com> <20190118154944.GH3271@phenom.ffwll.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190118154944.GH3271@phenom.ffwll.local> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 18, 2019 at 04:49:44PM +0100, Daniel Vetter wrote: > On Fri, Jan 18, 2019 at 01:20:20PM +0100, Gerd Hoffmann wrote: > > Signed-off-by: Gerd Hoffmann > > We already do all reasonable overflow checks in drm_mode_create_dumb(). If > you don't trust them I think would be better time spent typing an igt to > test this than adding redundant check in all drivers. > > You're also missing one check for bpp underflows :-) BTW I just noticed that we don't seem to validating create_dumb->flags at all. Someone should probably add some checks for that, or mark it as deprecated in case we already lost the battle with userspace stack garbage. > -Daniel > > > --- > > drivers/gpu/drm/qxl/qxl_dumb.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c > > index 272d19b677..bed6d06ee4 100644 > > --- a/drivers/gpu/drm/qxl/qxl_dumb.c > > +++ b/drivers/gpu/drm/qxl/qxl_dumb.c > > @@ -37,11 +37,13 @@ int qxl_mode_dumb_create(struct drm_file *file_priv, > > uint32_t handle; > > int r; > > struct qxl_surface surf; > > - uint32_t pitch, format; > > + uint32_t pitch, size, format; > > > > - pitch = args->width * ((args->bpp + 1) / 8); > > - args->size = pitch * args->height; > > - args->size = ALIGN(args->size, PAGE_SIZE); > > + if (check_mul_overflow(args->width, ((args->bpp + 1) / 8), &pitch)) > > + return -EINVAL; > > + if (check_mul_overflow(pitch, args->height, &size)) > > + return -EINVAL; > > + args->size = ALIGN(size, PAGE_SIZE); > > > > switch (args->bpp) { > > case 16: > > -- > > 2.9.3 > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Ville Syrjälä Intel