* [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture()
@ 2014-12-23 9:56 Dan Carpenter
2014-12-29 9:42 ` Christian König
2015-01-05 17:10 ` Alex Deucher
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2014-12-23 9:56 UTC (permalink / raw)
To: Alex Deucher; +Cc: Sasha Levin, Christian König, dri-devel
The test:
if (size > RADEON_MAX_TEXTURE_SIZE) {
"size" is an integer and it's controled by the user so it can be
negative and the test can underflow. Later we use "size" in:
dwords = size / 4;
...
RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
It causes memory corruption to copy a negative size buffer.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static checkers complain about the integer overflows here, and there are
many real overflows but they appear harmless.
diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
index 535403e..15aee72 100644
--- a/drivers/gpu/drm/radeon/radeon_state.c
+++ b/drivers/gpu/drm/radeon/radeon_state.c
@@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev,
u32 format;
u32 *buffer;
const u8 __user *data;
- int size, dwords, tex_width, blit_width, spitch;
+ unsigned int size, dwords, tex_width, blit_width, spitch;
u32 height;
int i;
u32 texpitch, microtile;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture()
2014-12-23 9:56 [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture() Dan Carpenter
@ 2014-12-29 9:42 ` Christian König
2015-01-05 17:10 ` Alex Deucher
1 sibling, 0 replies; 3+ messages in thread
From: Christian König @ 2014-12-29 9:42 UTC (permalink / raw)
To: Dan Carpenter, Alex Deucher; +Cc: Sasha Levin, dri-devel
Am 23.12.2014 um 10:56 schrieb Dan Carpenter:
> The test:
>
> if (size > RADEON_MAX_TEXTURE_SIZE) {
>
> "size" is an integer and it's controled by the user so it can be
> negative and the test can underflow. Later we use "size" in:
>
> dwords = size / 4;
> ...
> RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
>
> It causes memory corruption to copy a negative size buffer.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
This specific line of code is completely deprecated and the patch is
just another coffin nail to finally remove it.
But since we can't be sure that it doesn't break any userspace still in
use I'm generally ok to apply the patch and it is Reviewed-by: Christian
König <christian.koenig@amd.com>
Regards,
Christian.
> ---
> Static checkers complain about the integer overflows here, and there are
> many real overflows but they appear harmless.
>
> diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
> index 535403e..15aee72 100644
> --- a/drivers/gpu/drm/radeon/radeon_state.c
> +++ b/drivers/gpu/drm/radeon/radeon_state.c
> @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev,
> u32 format;
> u32 *buffer;
> const u8 __user *data;
> - int size, dwords, tex_width, blit_width, spitch;
> + unsigned int size, dwords, tex_width, blit_width, spitch;
> u32 height;
> int i;
> u32 texpitch, microtile;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture()
2014-12-23 9:56 [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture() Dan Carpenter
2014-12-29 9:42 ` Christian König
@ 2015-01-05 17:10 ` Alex Deucher
1 sibling, 0 replies; 3+ messages in thread
From: Alex Deucher @ 2015-01-05 17:10 UTC (permalink / raw)
To: Dan Carpenter
Cc: Alex Deucher, Sasha Levin, Christian König,
Maling list - DRI developers
On Tue, Dec 23, 2014 at 4:56 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> The test:
>
> if (size > RADEON_MAX_TEXTURE_SIZE) {
>
> "size" is an integer and it's controled by the user so it can be
> negative and the test can underflow. Later we use "size" in:
>
> dwords = size / 4;
> ...
> RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
>
> It causes memory corruption to copy a negative size buffer.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied to my fixes tree. thanks!
Alex
> ---
> Static checkers complain about the integer overflows here, and there are
> many real overflows but they appear harmless.
>
> diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
> index 535403e..15aee72 100644
> --- a/drivers/gpu/drm/radeon/radeon_state.c
> +++ b/drivers/gpu/drm/radeon/radeon_state.c
> @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev,
> u32 format;
> u32 *buffer;
> const u8 __user *data;
> - int size, dwords, tex_width, blit_width, spitch;
> + unsigned int size, dwords, tex_width, blit_width, spitch;
> u32 height;
> int i;
> u32 texpitch, microtile;
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-05 17:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-23 9:56 [patch] drm/radeon: integer underflow in radeon_cp_dispatch_texture() Dan Carpenter
2014-12-29 9:42 ` Christian König
2015-01-05 17:10 ` Alex Deucher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.