* [PATCH] drm/amdkfd: Integer overflows in ioctl
@ 2018-04-24 13:35 Dan Carpenter
2018-04-24 18:58 ` Felix Kuehling
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2018-04-24 13:35 UTC (permalink / raw)
To: Oded Gabbay, Felix Kuehling
Cc: David (ChunMing) Zhou, David Airlie,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
args->n_devices is a u32 that comes from the user. The multiplication
could overflow on 32 bit systems possibly leading to privilege
escalation.
Fixes: 5ec7e02854b3 ("drm/amdkfd: Add ioctls for GPUVM memory management")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com>
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index cd679cf1fd30..ce36e556da38 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -1295,8 +1295,8 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
return -EINVAL;
}
- devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
- GFP_KERNEL);
+ devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
+ GFP_KERNEL);
if (!devices_arr)
return -ENOMEM;
@@ -1404,8 +1404,8 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
return -EINVAL;
}
- devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
- GFP_KERNEL);
+ devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
+ GFP_KERNEL);
if (!devices_arr)
return -ENOMEM;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/amdkfd: Integer overflows in ioctl
2018-04-24 13:35 [PATCH] drm/amdkfd: Integer overflows in ioctl Dan Carpenter
@ 2018-04-24 18:58 ` Felix Kuehling
[not found] ` <e2b7b3c1-cadb-330f-53a8-57568d4bc877-5C7GfCeVMHo@public.gmane.org>
2018-05-11 20:17 ` Oded Gabbay
0 siblings, 2 replies; 5+ messages in thread
From: Felix Kuehling @ 2018-04-24 18:58 UTC (permalink / raw)
To: Dan Carpenter, Oded Gabbay
Cc: David (ChunMing) Zhou, David Airlie,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
We could probably add a sanity check for n_devices to avoid user mode
causing excessive memory allocations in the kernel. There is no good
reason for this to be bigger than the number of GPUs in the system. The
maximum number of GPUs supported due to device minor limit in DRM is 128.
Regards,
 Felix
On 2018-04-24 09:35 AM, Dan Carpenter wrote:
> args->n_devices is a u32 that comes from the user. The multiplication
> could overflow on 32 bit systems possibly leading to privilege
> escalation.
>
> Fixes: 5ec7e02854b3 ("drm/amdkfd: Add ioctls for GPUVM memory management")
> Signed-off-by: Dan Carpenter dan.carpenter@oracle.com>
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> index cd679cf1fd30..ce36e556da38 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> @@ -1295,8 +1295,8 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
> return -EINVAL;
> }
>
> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
> - GFP_KERNEL);
> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
> + GFP_KERNEL);
> if (!devices_arr)
> return -ENOMEM;
>
> @@ -1404,8 +1404,8 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
> return -EINVAL;
> }
>
> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
> - GFP_KERNEL);
> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
> + GFP_KERNEL);
> if (!devices_arr)
> return -ENOMEM;
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/amdkfd: Integer overflows in ioctl
[not found] ` <e2b7b3c1-cadb-330f-53a8-57568d4bc877-5C7GfCeVMHo@public.gmane.org>
@ 2018-04-25 9:21 ` Dan Carpenter
2018-04-25 16:05 ` Felix Kuehling
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2018-04-25 9:21 UTC (permalink / raw)
To: Felix Kuehling
Cc: Oded Gabbay, David (ChunMing) Zhou, David Airlie,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
On Tue, Apr 24, 2018 at 02:58:10PM -0400, Felix Kuehling wrote:
> Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
>
> We could probably add a sanity check for n_devices to avoid user mode
> causing excessive memory allocations in the kernel. There is no good
> reason for this to be bigger than the number of GPUs in the system. The
> maximum number of GPUs supported due to device minor limit in DRM is 128.
>
128 is sort of a magic number. Is there a MAX_GPU define or something?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/amdkfd: Integer overflows in ioctl
2018-04-25 9:21 ` Dan Carpenter
@ 2018-04-25 16:05 ` Felix Kuehling
0 siblings, 0 replies; 5+ messages in thread
From: Felix Kuehling @ 2018-04-25 16:05 UTC (permalink / raw)
To: Dan Carpenter
Cc: Oded Gabbay, David (ChunMing) Zhou, David Airlie,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
On 2018-04-25 05:21 AM, Dan Carpenter wrote:
> On Tue, Apr 24, 2018 at 02:58:10PM -0400, Felix Kuehling wrote:
>> Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>
>> We could probably add a sanity check for n_devices to avoid user mode
>> causing excessive memory allocations in the kernel. There is no good
>> reason for this to be bigger than the number of GPUs in the system. The
>> maximum number of GPUs supported due to device minor limit in DRM is 128.
>>
> 128 is sort of a magic number. Is there a MAX_GPU define or something?
Actually, looking at drm_minor_alloc in drm_file.c, the maximum is only
64 GPUs. It's just a magic number in the code. There is no #define or
enum for this.
Regards,
 Felix
>
> regards,
> dan carpenter
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/amdkfd: Integer overflows in ioctl
2018-04-24 18:58 ` Felix Kuehling
[not found] ` <e2b7b3c1-cadb-330f-53a8-57568d4bc877-5C7GfCeVMHo@public.gmane.org>
@ 2018-05-11 20:17 ` Oded Gabbay
1 sibling, 0 replies; 5+ messages in thread
From: Oded Gabbay @ 2018-05-11 20:17 UTC (permalink / raw)
To: Felix Kuehling
Cc: David Airlie, kernel-janitors, Maling list - DRI developers,
amd-gfx list, Alex Deucher, Christian König, Dan Carpenter
On Tue, Apr 24, 2018 at 9:58 PM, Felix Kuehling <felix.kuehling@amd.com> wrote:
> Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
>
> We could probably add a sanity check for n_devices to avoid user mode
> causing excessive memory allocations in the kernel. There is no good
> reason for this to be bigger than the number of GPUs in the system. The
> maximum number of GPUs supported due to device minor limit in DRM is 128.
>
> Regards,
> Felix
>
>
> On 2018-04-24 09:35 AM, Dan Carpenter wrote:
>> args->n_devices is a u32 that comes from the user. The multiplication
>> could overflow on 32 bit systems possibly leading to privilege
>> escalation.
>>
>> Fixes: 5ec7e02854b3 ("drm/amdkfd: Add ioctls for GPUVM memory management")
>> Signed-off-by: Dan Carpenter dan.carpenter@oracle.com>
>>
>> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> index cd679cf1fd30..ce36e556da38 100644
>> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> @@ -1295,8 +1295,8 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
>> return -EINVAL;
>> }
>>
>> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
>> - GFP_KERNEL);
>> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
>> + GFP_KERNEL);
>> if (!devices_arr)
>> return -ENOMEM;
>>
>> @@ -1404,8 +1404,8 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
>> return -EINVAL;
>> }
>>
>> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
>> - GFP_KERNEL);
>> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
>> + GFP_KERNEL);
>> if (!devices_arr)
>> return -ENOMEM;
>>
>
Thanks!
Patch applied to amdkfd-fixes
Oded
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-11 20:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-24 13:35 [PATCH] drm/amdkfd: Integer overflows in ioctl Dan Carpenter
2018-04-24 18:58 ` Felix Kuehling
[not found] ` <e2b7b3c1-cadb-330f-53a8-57568d4bc877-5C7GfCeVMHo@public.gmane.org>
2018-04-25 9:21 ` Dan Carpenter
2018-04-25 16:05 ` Felix Kuehling
2018-05-11 20:17 ` Oded Gabbay
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox