From: "Zanoni, Paulo R" <paulo.r.zanoni@intel.com>
To: "De Marchi, Lucas" <lucas.demarchi@intel.com>
Cc: "intel-xe@lists.freedesktop.org" <intel-xe@lists.freedesktop.org>
Subject: Re: [Intel-xe] [PATCH 2/2] drm/xe: properly check bounds for xe_wait_user_fence_ioctl()
Date: Tue, 27 Jun 2023 21:25:36 +0000 [thread overview]
Message-ID: <7f2c6bb6bebf96de06f8633e20cf5bede43e4a18.camel@intel.com> (raw)
In-Reply-To: <dzs6mijmrgohz2hvcrpftkzabo6qlsgnfvo6c7vnlkh5xqladw@4qpmwqar73xu>
On Tue, 2023-06-27 at 16:30 -0300, Lucas De Marchi wrote:
> On Mon, Jun 26, 2023 at 02:22:21PM -0700, Paulo Zanoni wrote:
> > If !no_engines, then we use copy_from_user to copy to the 'eci' array,
> > which has XE_HW_ENGINE_MAX_INSTANCE members. The amount of members
> > copied is given by the user in args->num_engines, so add code to check
> > that args->num_engines does not exceed XE_HW_ENGINE_MAX_INSTANCE. It's
> > an unsigned value so there's no need to check for negative values.
> >
> > Fixes error messages such as:
> >
> > Buffer overflow detected (54 < 18446744073709551520)!
> >
> > Very simple reproducer:
> >
> > https://people.freedesktop.org/~pzanoni/wait-user-fence-bug/
>
> same comment as in the previous patch. It'd be better to have a code
> snippet in the commit message.
>
> >
> > Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
> > Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
> > ---
> > drivers/gpu/drm/xe/xe_wait_user_fence.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/xe/xe_wait_user_fence.c b/drivers/gpu/drm/xe/xe_wait_user_fence.c
> > index 3122374341d6..098e2a4cff3f 100644
> > --- a/drivers/gpu/drm/xe/xe_wait_user_fence.c
> > +++ b/drivers/gpu/drm/xe/xe_wait_user_fence.c
> > @@ -121,6 +121,9 @@ int xe_wait_user_fence_ioctl(struct drm_device *dev, void *data,
> > addr & 0x7))
> > return -EINVAL;
> >
> > + if (XE_IOCTL_ERR(xe, args->num_engines > XE_HW_ENGINE_MAX_INSTANCE))
>
> XE_IOCTL_ERR() is soon going away, but we don't need to wait for it.
>
> Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
>
> For these 2 commits, let me know if you are sending a new version or if
> I should just add the code snippet while applying.
Feel free to amend the messages while applying, whatever approach you
choose is fine. Thanks!
>
> thanks
> Lucas De Marchi
>
> > + return -EINVAL;
> > +
> > if (!no_engines) {
> > err = copy_from_user(eci, user_eci,
> > sizeof(struct drm_xe_engine_class_instance) *
> > --
> > 2.39.2
> >
next prev parent reply other threads:[~2023-06-27 21:25 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 21:22 [Intel-xe] [PATCH 1/2 v2] drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl Paulo Zanoni
2023-06-26 21:22 ` [Intel-xe] [PATCH 2/2] drm/xe: properly check bounds for xe_wait_user_fence_ioctl() Paulo Zanoni
2023-06-27 19:30 ` Lucas De Marchi
2023-06-27 21:25 ` Zanoni, Paulo R [this message]
2023-06-26 21:24 ` [Intel-xe] ✓ CI.Patch_applied: success for series starting with [1/2,v2] drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl Patchwork
2023-06-26 21:24 ` [Intel-xe] ✗ CI.checkpatch: warning " Patchwork
2023-06-26 21:26 ` [Intel-xe] ✓ CI.KUnit: success " Patchwork
2023-06-26 21:29 ` [Intel-xe] ✓ CI.Build: " Patchwork
2023-06-26 21:30 ` [Intel-xe] ✓ CI.Hooks: " Patchwork
2023-06-26 21:31 ` [Intel-xe] ✓ CI.checksparse: " Patchwork
2023-06-26 22:09 ` [Intel-xe] ○ CI.BAT: info " Patchwork
2023-06-26 22:25 ` [Intel-xe] [PATCH 1/2 v2] " Matthew Brost
2023-06-27 18:17 ` Souza, Jose
2023-06-27 19:10 ` Lucas De Marchi
2023-06-27 21:24 ` Zanoni, Paulo R
2023-06-29 4:06 ` Lucas De Marchi
-- strict thread matches above, loose matches on Subject: below --
2023-06-22 22:42 [Intel-xe] [PATCH 1/2] drm/xe: check for negative " Paulo Zanoni
2023-06-22 22:42 ` [Intel-xe] [PATCH 2/2] drm/xe: properly check bounds for xe_wait_user_fence_ioctl() Paulo Zanoni
2023-06-22 22:56 ` Souza, Jose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7f2c6bb6bebf96de06f8633e20cf5bede43e4a18.camel@intel.com \
--to=paulo.r.zanoni@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox