From: Daniel Vetter <daniel@ffwll.ch>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Airlie <airlied@linux.ie>,
kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl()
Date: Wed, 09 May 2018 08:23:07 +0000 [thread overview]
Message-ID: <20180509082307.GS28661@phenom.ffwll.local> (raw)
In-Reply-To: <20180509072249.GA12754@mwanda>
On Wed, May 09, 2018 at 10:22:49AM +0300, Dan Carpenter wrote:
> There is a comment here which says that DIV_ROUND_UP() and that's where
> the problem comes from. Say you pick:
>
> args->bpp = UINT_MAX - 7;
> args->width = 4;
> args->height = 1;
>
> The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and
> because of how we picked args->width that means cpp < UINT_MAX / 4.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Btw, DIV_ROUND_UP() integer overflows have been a recurring source of
> bugs so I have an unreleased static checker warning specific for that.
> This line triggers three warnings for me on my unreleased code:
>
> drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: negative user subtract: 0-u32max - 1
> drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow from user '(args->bpp) + (8)'
> drivers/gpu/drm/drm_dumb_buffers.c:69 drm_mode_create_dumb_ioctl() warn: potential integer overflow in 'DIV_ROUND_UP'
>
> It's a pretty common idiom in the kernel to overflow and then test for
> it later so I'm not able to release this code because of the number of
> false positives that this idiom causes...
>
> diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c
> index 39ac15ce4702..45b0b5bbb5f8 100644
> --- a/drivers/gpu/drm/drm_dumb_buffers.c
> +++ b/drivers/gpu/drm/drm_dumb_buffers.c
> @@ -65,7 +65,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
> return -EINVAL;
>
> /* overflow checks for 32bit size calculations */
> - /* NOTE: DIV_ROUND_UP() can overflow */
> + if (args->bpp > UINT_MAX - 8)
> + return -EINVAL;
> cpp = DIV_ROUND_UP(args->bpp, 8);
> if (!cpp || cpp > 0xffffffffU / args->width)
The !cpp check is now redundant, this was our minimal overflow check. Note
that we only really care for cpp != 0 and that the size calculation doesn't
overflow. Userspace specifying a completely bogus bpp value is ok
otherwise (reasonable values only go up to about 128). So I think there's
no security issue here.
Anyway, can you pls respin with the !cpp check removed? See also
commit 6a77e80e55cacace60ff03aa717a6d364a401d2b (HEAD -> stuff)
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Mon Apr 30 17:04:10 2018 +0200
backlight: remove obsolete comment for ->state
for context.
Thanks, Daniel
> return -EINVAL;
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
prev parent reply other threads:[~2018-05-09 8:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-09 7:22 [PATCH] drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Dan Carpenter
2018-05-09 8:12 ` [PATCH v2] " Dan Carpenter
2018-05-09 8:18 ` Chris Wilson
2018-05-09 11:59 ` Dan Carpenter
2018-05-16 14:00 ` Dan Carpenter
2018-05-16 14:26 ` Chris Wilson
2018-05-16 14:52 ` Dan Carpenter
[not found] ` <152648261507.11239.9847993632251714966@mail.alporthouse.com>
2018-05-16 15:15 ` Dan Carpenter
2018-05-16 15:41 ` Dan Carpenter
2018-05-16 15:57 ` Daniel Vetter
2018-05-09 8:23 ` Daniel Vetter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180509082307.GS28661@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=airlied@linux.ie \
--cc=dan.carpenter@oracle.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox