From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Joonyoung Shim <jy0922.shim@samsung.com>,
Tobias Jakobi <tjakobi@math.uni-bielefeld.de>,
Inki Dae <inki.dae@samsung.com>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.9 63/67] drm/exynos: g2d: prevent integer overflow in
Date: Mon, 6 Nov 2017 10:44:26 +0100 [thread overview]
Message-ID: <20171106091307.901388577@linuxfoundation.org> (raw)
In-Reply-To: <20171106091305.401025609@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonyoung Shim <jy0922.shim@samsung.com>
[ Upstream commit e41456bfc811f12b5dcda6f2d6849bdff68f6c0a ]
The size computations done in the ioctl function use an integer.
If userspace submits a request with req->cmd_nr or req->cmd_buf_nr
set to INT_MAX, the integer computations overflow later, leading
to potential (kernel) memory corruption.
Prevent this issue by enforcing a limit on the number of submitted
commands, so that we have enough headroom later for the size
computations.
Note that this change has no impact on the currently available
users in userspace, like e.g. libdrm/exynos.
While at it, also make a comment about the size computation more
detailed.
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
@@ -1193,6 +1193,17 @@ int exynos_g2d_set_cmdlist_ioctl(struct
if (!node)
return -ENOMEM;
+ /*
+ * To avoid an integer overflow for the later size computations, we
+ * enforce a maximum number of submitted commands here. This limit is
+ * sufficient for all conceivable usage cases of the G2D.
+ */
+ if (req->cmd_nr > G2D_CMDLIST_DATA_NUM ||
+ req->cmd_buf_nr > G2D_CMDLIST_DATA_NUM) {
+ dev_err(dev, "number of submitted G2D commands exceeds limit\n");
+ return -EINVAL;
+ }
+
node->event = NULL;
if (req->event_type != G2D_EVENT_NOT) {
@@ -1250,7 +1261,11 @@ int exynos_g2d_set_cmdlist_ioctl(struct
cmdlist->data[cmdlist->last++] = G2D_INTEN_ACF;
}
- /* Check size of cmdlist: last 2 is about G2D_BITBLT_START */
+ /*
+ * Check the size of cmdlist. The 2 that is added last comes from
+ * the implicit G2D_BITBLT_START that is appended once we have
+ * checked all the submitted commands.
+ */
size = cmdlist->last + req->cmd_nr * 2 + req->cmd_buf_nr * 2 + 2;
if (size > G2D_CMDLIST_DATA_NUM) {
dev_err(dev, "cmdlist size is too big\n");
next prev parent reply other threads:[~2017-11-06 9:46 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:43 [PATCH 4.9 00/67] 4.9.61-stable review Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 01/67] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 02/67] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 03/67] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 04/67] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 05/67] KEYS: fix out-of-bounds read during ASN.1 parsing Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 06/67] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 07/67] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 08/67] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 09/67] arm/arm64: kvm: Disable branch profiling in HYP code Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 10/67] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 11/67] drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 12/67] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 14/67] drm/msm: Fix potential buffer overflow issue Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 15/67] drm/msm: fix an integer overflow test Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 16/67] tracing/samples: Fix creation and deletion of simple_thread_fn creation Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 17/67] Fix tracing sample code warning Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 18/67] cpufreq: Do not clear real_cpus mask on policy init Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 19/67] crypto: ccp - Set the AES size field for all modes Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 20/67] staging: fsl-mc: Add missing header Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 21/67] IB/mlx5: Assign DSCP for R-RoCE QPs Address Path Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 22/67] PM / wakeirq: report a wakeup_event on dedicated wekup irq Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 23/67] scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 24/67] mmc: s3cmci: include linux/interrupt.h for tasklet_struct Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 25/67] mfd: ab8500-sysctrl: Handle probe deferral Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 26/67] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 27/67] bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 28/67] staging: rtl8712u: Fix endian settings for structs describing network packets Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 29/67] PCI/MSI: Return failure when msix_setup_entries() fails Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 30/67] net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 31/67] ext4: fix stripe-unaligned allocations Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 32/67] ext4: do not use stripe_width if it is not set Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 33/67] net/ena: change drivers default timeouts Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 34/67] i2c: riic: correctly finish transfers Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 36/67] perf tools: Only increase index if perf_evsel__new_idx() succeeds Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 37/67] iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 38/67] drm/fsl-dcu: check for clk_prepare_enable() error Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 39/67] clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 40/67] net: phy: dp83867: Recover from "port mirroring" N/A MODE4 Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 41/67] cx231xx: Fix I2C on Internal Master 3 Bus Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 42/67] ath10k: fix reading sram contents for QCA4019 Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 43/67] clk: sunxi-ng: Check kzalloc() for errors and cleanup error path Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 44/67] drm/msm/dsi: Set msm_dsi->encoders before initializing bridge Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 45/67] mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 46/67] gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 47/67] xen/manage: correct return value check on xenbus_scanf() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 48/67] scsi: aacraid: Process Error for response I/O Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 49/67] platform/x86: intel_mid_thermal: Fix module autoload Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 50/67] staging: lustre: llite: dont invoke direct_IO for the EOF case Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 51/67] staging: lustre: hsm: stack overrun in hai_dump_data_field Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 52/67] staging: lustre: ptlrpc: skip lock if export failed Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 53/67] staging: lustre: lmv: Error not handled for lmv_find_target Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 55/67] vfs: open() with O_CREAT should not create inodes with unknown ids Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 56/67] ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 57/67] exynos4-is: fimc-is: Unmap region obtained by of_iomap() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 58/67] mei: return error on notification request to a disconnected client Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 59/67] s390/dasd: check for device error pointer within state change interrupts Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 60/67] s390/prng: Adjust generation of entropy to produce real 256 bits Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 61/67] s390/crypto: Extend key length check for AES-XTS in fips mode Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 62/67] bt8xx: fix memory leak Greg Kroah-Hartman
2017-11-06 9:44 ` Greg Kroah-Hartman [this message]
2017-11-06 9:44 ` [PATCH 4.9 64/67] PCI: Avoid possible deadlock on pci_lock and p->pi_lock Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 65/67] powerpc/64: Dont try to use radix MMU under a hypervisor Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 66/67] xen: dont print error message in case of missing Xenstore entry Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 67/67] staging: r8712u: Fix Sparse warning in rtl871x_xmit.c Greg Kroah-Hartman
2017-11-06 21:17 ` [PATCH 4.9 00/67] 4.9.61-stable review Guenter Roeck
2017-11-06 22:22 ` Shuah Khan
2017-11-06 23:13 ` Shuah Khan
2017-11-07 22:49 ` Tom Gall
2017-11-08 9:21 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106091307.901388577@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=inki.dae@samsung.com \
--cc=jy0922.shim@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tjakobi@math.uni-bielefeld.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).