[PATCH] dma-buf: udmabuf: avoid list copy size overflow

Linux Media Controller development
 help / color / mirror / Atom feed

* [PATCH] dma-buf: udmabuf: avoid list copy size overflow
@ 2026-06-24 12:52 Yousef Alhouseen
  2026-06-24 12:58 ` Christian König
  0 siblings, 1 reply; 5+ messages in thread
From: Yousef Alhouseen @ 2026-06-24 12:52 UTC (permalink / raw)
  To: Gerd Hoffmann, Vivek Kasireddy, Sumit Semwal,
	Christian König
  Cc: dri-devel, linux-media, linaro-mm-sig, linux-kernel,
	Yousef Alhouseen

UDMABUF_CREATE_LIST copies an array whose element count comes from
userspace. The count is compared against list_limit, but list_limit is a
signed module parameter while the count is u32.

If the limit is raised too far or made negative, that comparison no
longer bounds the count to a range where sizeof(*list) * count fits in
the u32 temporary used for the copy length. A wrapped copy length lets
memdup_user() copy fewer entries than udmabuf_create() subsequently
walks, leading to out-of-bounds reads from the copied list.

Take a positive snapshot of the module limit and use memdup_array_user()
so the multiplication is checked before copying.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
 drivers/dma-buf/udmabuf.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index bced421c0..b4078ec84 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -469,14 +469,15 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg)
 	struct udmabuf_create_list head;
 	struct udmabuf_create_item *list;
 	int ret = -EINVAL;
-	u32 lsize;
+	int limit;

 	if (copy_from_user(&head, (void __user *)arg, sizeof(head)))
 		return -EFAULT;
-	if (head.count > list_limit)
+	limit = READ_ONCE(list_limit);
+	if (!head.count || limit <= 0 || head.count > limit)
 		return -EINVAL;
-	lsize = sizeof(struct udmabuf_create_item) * head.count;
-	list = memdup_user((void __user *)(arg + sizeof(head)), lsize);
+	list = memdup_array_user((void __user *)(arg + sizeof(head)),
+				 head.count, sizeof(*list));
 	if (IS_ERR(list))
 		return PTR_ERR(list);

-- 
2.54.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] dma-buf: udmabuf: avoid list copy size overflow
  2026-06-24 12:52 [PATCH] dma-buf: udmabuf: avoid list copy size overflow Yousef Alhouseen
@ 2026-06-24 12:58 ` Christian König
  2026-06-25  9:07   ` Yousef Alhouseen
  2026-06-26 11:31   ` David Laight
  0 siblings, 2 replies; 5+ messages in thread
From: Christian König @ 2026-06-24 12:58 UTC (permalink / raw)
  To: Yousef Alhouseen, Gerd Hoffmann, Vivek Kasireddy, Sumit Semwal
  Cc: dri-devel, linux-media, linaro-mm-sig, linux-kernel

On 6/24/26 14:52, Yousef Alhouseen wrote:
> UDMABUF_CREATE_LIST copies an array whose element count comes from
> userspace. The count is compared against list_limit, but list_limit is a
> signed module parameter while the count is u32.

We should probably just drop the sign from the module parameter instead.

I don't see an use case for negative values here.

Regards,
Christian.

> 
> If the limit is raised too far or made negative, that comparison no
> longer bounds the count to a range where sizeof(*list) * count fits in
> the u32 temporary used for the copy length. A wrapped copy length lets
> memdup_user() copy fewer entries than udmabuf_create() subsequently
> walks, leading to out-of-bounds reads from the copied list.
> 
> Take a positive snapshot of the module limit and use memdup_array_user()
> so the multiplication is checked before copying.
> 
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> ---
>  drivers/dma-buf/udmabuf.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index bced421c0..b4078ec84 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -469,14 +469,15 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg)
>         struct udmabuf_create_list head;
>         struct udmabuf_create_item *list;
>         int ret = -EINVAL;
> -       u32 lsize;
> +       int limit;
> 
>         if (copy_from_user(&head, (void __user *)arg, sizeof(head)))
>                 return -EFAULT;
> -       if (head.count > list_limit)
> +       limit = READ_ONCE(list_limit);
> +       if (!head.count || limit <= 0 || head.count > limit)
>                 return -EINVAL;
> -       lsize = sizeof(struct udmabuf_create_item) * head.count;
> -       list = memdup_user((void __user *)(arg + sizeof(head)), lsize);
> +       list = memdup_array_user((void __user *)(arg + sizeof(head)),
> +                                head.count, sizeof(*list));
>         if (IS_ERR(list))
>                 return PTR_ERR(list);
> 
> --
> 2.54.0
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] dma-buf: udmabuf: avoid list copy size overflow
  2026-06-24 12:58 ` Christian König
@ 2026-06-25  9:07   ` Yousef Alhouseen
  2026-06-26 11:31   ` David Laight
  1 sibling, 0 replies; 5+ messages in thread
From: Yousef Alhouseen @ 2026-06-25  9:07 UTC (permalink / raw)
  To: Christian König, Gerd Hoffmann, Vivek Kasireddy,
	Sumit Semwal
  Cc: dri-devel, linux-media, linaro-mm-sig, linux-kernel

Hi Christian,

Agreed. I sent a follow-up that makes list_limit unsigned and keeps
the checked array copy path.

Thanks,
Yousef

On Wed, 24 Jun 2026 14:58:58 +0200, "Christian König"
<christian.koenig@amd.com> wrote:
> On 6/24/26 14:52, Yousef Alhouseen wrote:
> > UDMABUF_CREATE_LIST copies an array whose element count comes from
> > userspace. The count is compared against list_limit, but list_limit is a
> > signed module parameter while the count is u32.
>
> We should probably just drop the sign from the module parameter instead.
>
> I don't see an use case for negative values here.
>
> Regards,
> Christian.
>
> >
> > If the limit is raised too far or made negative, that comparison no
> > longer bounds the count to a range where sizeof(*list) * count fits in
> > the u32 temporary used for the copy length. A wrapped copy length lets
> > memdup_user() copy fewer entries than udmabuf_create() subsequently
> > walks, leading to out-of-bounds reads from the copied list.
> >
> > Take a positive snapshot of the module limit and use memdup_array_user()
> > so the multiplication is checked before copying.
> >
> > Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> > ---
> > drivers/dma-buf/udmabuf.c | 9 +++++----
> > 1 file changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> > index bced421c0..b4078ec84 100644
> > --- a/drivers/dma-buf/udmabuf.c
> > +++ b/drivers/dma-buf/udmabuf.c
> > @@ -469,14 +469,15 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg)
> > struct udmabuf_create_list head;
> > struct udmabuf_create_item *list;
> > int ret = -EINVAL;
> > - u32 lsize;
> > + int limit;
> >
> > if (copy_from_user(&head, (void __user *)arg, sizeof(head)))
> > return -EFAULT;
> > - if (head.count > list_limit)
> > + limit = READ_ONCE(list_limit);
> > + if (!head.count || limit <= 0 || head.count > limit)
> > return -EINVAL;
> > - lsize = sizeof(struct udmabuf_create_item) * head.count;
> > - list = memdup_user((void __user *)(arg + sizeof(head)), lsize);
> > + list = memdup_array_user((void __user *)(arg + sizeof(head)),
> > + head.count, sizeof(*list));
> > if (IS_ERR(list))
> > return PTR_ERR(list);
> >
> > --
> > 2.54.0
> >

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] dma-buf: udmabuf: avoid list copy size overflow
  2026-06-24 12:58 ` Christian König
  2026-06-25  9:07   ` Yousef Alhouseen
@ 2026-06-26 11:31   ` David Laight
  2026-06-26 12:23     ` Christian König
  1 sibling, 1 reply; 5+ messages in thread
From: David Laight @ 2026-06-26 11:31 UTC (permalink / raw)
  To: Christian König
  Cc: Yousef Alhouseen, Gerd Hoffmann, Vivek Kasireddy, Sumit Semwal,
	dri-devel, linux-media, linaro-mm-sig, linux-kernel

On Wed, 24 Jun 2026 14:58:58 +0200
Christian König <christian.koenig@amd.com> wrote:

> On 6/24/26 14:52, Yousef Alhouseen wrote:
> > UDMABUF_CREATE_LIST copies an array whose element count comes from
> > userspace. The count is compared against list_limit, but list_limit is a
> > signed module parameter while the count is u32.  
> 
> We should probably just drop the sign from the module parameter instead.

Does anything sanity-check the module parameter?

	David

> 
> I don't see an use case for negative values here.
> 
> Regards,
> Christian.
> 
> > 
> > If the limit is raised too far or made negative, that comparison no
> > longer bounds the count to a range where sizeof(*list) * count fits in
> > the u32 temporary used for the copy length. A wrapped copy length lets
> > memdup_user() copy fewer entries than udmabuf_create() subsequently
> > walks, leading to out-of-bounds reads from the copied list.
> > 
> > Take a positive snapshot of the module limit and use memdup_array_user()
> > so the multiplication is checked before copying.
> > 
> > Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> > ---
> >  drivers/dma-buf/udmabuf.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> > index bced421c0..b4078ec84 100644
> > --- a/drivers/dma-buf/udmabuf.c
> > +++ b/drivers/dma-buf/udmabuf.c
> > @@ -469,14 +469,15 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg)
> >         struct udmabuf_create_list head;
> >         struct udmabuf_create_item *list;
> >         int ret = -EINVAL;
> > -       u32 lsize;
> > +       int limit;
> > 
> >         if (copy_from_user(&head, (void __user *)arg, sizeof(head)))
> >                 return -EFAULT;
> > -       if (head.count > list_limit)
> > +       limit = READ_ONCE(list_limit);
> > +       if (!head.count || limit <= 0 || head.count > limit)
> >                 return -EINVAL;
> > -       lsize = sizeof(struct udmabuf_create_item) * head.count;
> > -       list = memdup_user((void __user *)(arg + sizeof(head)), lsize);
> > +       list = memdup_array_user((void __user *)(arg + sizeof(head)),
> > +                                head.count, sizeof(*list));
> >         if (IS_ERR(list))
> >                 return PTR_ERR(list);
> > 
> > --
> > 2.54.0
> >   
> 
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] dma-buf: udmabuf: avoid list copy size overflow
  2026-06-26 11:31   ` David Laight
@ 2026-06-26 12:23     ` Christian König
  0 siblings, 0 replies; 5+ messages in thread
From: Christian König @ 2026-06-26 12:23 UTC (permalink / raw)
  To: David Laight
  Cc: Yousef Alhouseen, Gerd Hoffmann, Vivek Kasireddy, Sumit Semwal,
	dri-devel, linux-media, linaro-mm-sig, linux-kernel

On 6/26/26 13:31, David Laight wrote:
> On Wed, 24 Jun 2026 14:58:58 +0200
> Christian König <christian.koenig@amd.com> wrote:
> 
>> On 6/24/26 14:52, Yousef Alhouseen wrote:
>>> UDMABUF_CREATE_LIST copies an array whose element count comes from
>>> userspace. The count is compared against list_limit, but list_limit is a
>>> signed module parameter while the count is u32.  
>>
>> We should probably just drop the sign from the module parameter instead.
> 
> Does anything sanity-check the module parameter?

Do we need to? I mean shooting into your own foot is supposed to hurt.

Christian.

> 
> 	David
> 
>>
>> I don't see an use case for negative values here.
>>
>> Regards,
>> Christian.
>>
>>>
>>> If the limit is raised too far or made negative, that comparison no
>>> longer bounds the count to a range where sizeof(*list) * count fits in
>>> the u32 temporary used for the copy length. A wrapped copy length lets
>>> memdup_user() copy fewer entries than udmabuf_create() subsequently
>>> walks, leading to out-of-bounds reads from the copied list.
>>>
>>> Take a positive snapshot of the module limit and use memdup_array_user()
>>> so the multiplication is checked before copying.
>>>
>>> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
>>> ---
>>>  drivers/dma-buf/udmabuf.c | 9 +++++----
>>>  1 file changed, 5 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
>>> index bced421c0..b4078ec84 100644
>>> --- a/drivers/dma-buf/udmabuf.c
>>> +++ b/drivers/dma-buf/udmabuf.c
>>> @@ -469,14 +469,15 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg)
>>>         struct udmabuf_create_list head;
>>>         struct udmabuf_create_item *list;
>>>         int ret = -EINVAL;
>>> -       u32 lsize;
>>> +       int limit;
>>>
>>>         if (copy_from_user(&head, (void __user *)arg, sizeof(head)))
>>>                 return -EFAULT;
>>> -       if (head.count > list_limit)
>>> +       limit = READ_ONCE(list_limit);
>>> +       if (!head.count || limit <= 0 || head.count > limit)
>>>                 return -EINVAL;
>>> -       lsize = sizeof(struct udmabuf_create_item) * head.count;
>>> -       list = memdup_user((void __user *)(arg + sizeof(head)), lsize);
>>> +       list = memdup_array_user((void __user *)(arg + sizeof(head)),
>>> +                                head.count, sizeof(*list));
>>>         if (IS_ERR(list))
>>>                 return PTR_ERR(list);
>>>
>>> --
>>> 2.54.0
>>>   
>>
>>
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-06-26 12:23 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24 12:52 [PATCH] dma-buf: udmabuf: avoid list copy size overflow Yousef Alhouseen
2026-06-24 12:58 ` Christian König
2026-06-25  9:07   ` Yousef Alhouseen
2026-06-26 11:31   ` David Laight
2026-06-26 12:23     ` Christian König

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox