From: Thomas Zimmermann <tzimmermann@suse.de>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
airlied@gmail.com, simona@ffwll.ch
Cc: dri-devel@lists.freedesktop.org,
linux-mediatek@lists.infradead.org,
freedreno@lists.freedesktop.org, linux-arm-msm@vger.kernel.org,
imx@lists.linux.dev, linux-samsung-soc@vger.kernel.org,
nouveau@lists.freedesktop.org, virtualization@lists.linux.dev,
spice-devel@lists.freedesktop.org,
linux-renesas-soc@vger.kernel.org,
linux-rockchip@lists.infradead.org, linux-tegra@vger.kernel.org,
intel-xe@lists.freedesktop.org, xen-devel@lists.xenproject.org,
Thomas Zimmermann <tzimmermann@suse.de>
Subject: [PATCH v2 01/25] drm/dumb-buffers: Sanitize output on errors
Date: Thu, 9 Jan 2025 15:56:55 +0100 [thread overview]
Message-ID: <20250109150310.219442-2-tzimmermann@suse.de> (raw)
In-Reply-To: <20250109150310.219442-1-tzimmermann@suse.de>
The ioctls MODE_CREATE_DUMB and MODE_MAP_DUMB return results into a
memory buffer supplied by user space. On errors, it is possible that
intermediate values are being returned. The exact semantics depends
on the DRM driver's implementation of these ioctls. Although this is
most-likely not a security problem in practice, avoid any uncertainty
by clearing the memory to 0 on errors.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/drm_dumb_buffers.c | 40 ++++++++++++++++++++++--------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c
index 70032bba1c97..9916aaf5b3f2 100644
--- a/drivers/gpu/drm/drm_dumb_buffers.c
+++ b/drivers/gpu/drm/drm_dumb_buffers.c
@@ -99,7 +99,30 @@ int drm_mode_create_dumb(struct drm_device *dev,
int drm_mode_create_dumb_ioctl(struct drm_device *dev,
void *data, struct drm_file *file_priv)
{
- return drm_mode_create_dumb(dev, data, file_priv);
+ struct drm_mode_create_dumb *args = data;
+ int err;
+
+ err = drm_mode_create_dumb(dev, args, file_priv);
+ if (err) {
+ args->handle = 0;
+ args->pitch = 0;
+ args->size = 0;
+ }
+ return err;
+}
+
+static int drm_mode_mmap_dumb(struct drm_device *dev, struct drm_mode_map_dumb *args,
+ struct drm_file *file_priv)
+{
+ if (!dev->driver->dumb_create)
+ return -ENOSYS;
+
+ if (dev->driver->dumb_map_offset)
+ return dev->driver->dumb_map_offset(file_priv, dev, args->handle,
+ &args->offset);
+ else
+ return drm_gem_dumb_map_offset(file_priv, dev, args->handle,
+ &args->offset);
}
/**
@@ -120,17 +143,12 @@ int drm_mode_mmap_dumb_ioctl(struct drm_device *dev,
void *data, struct drm_file *file_priv)
{
struct drm_mode_map_dumb *args = data;
+ int err;
- if (!dev->driver->dumb_create)
- return -ENOSYS;
-
- if (dev->driver->dumb_map_offset)
- return dev->driver->dumb_map_offset(file_priv, dev,
- args->handle,
- &args->offset);
- else
- return drm_gem_dumb_map_offset(file_priv, dev, args->handle,
- &args->offset);
+ err = drm_mode_mmap_dumb(dev, args, file_priv);
+ if (err)
+ args->offset = 0;
+ return err;
}
int drm_mode_destroy_dumb(struct drm_device *dev, u32 handle,
--
2.47.1
next prev parent reply other threads:[~2025-01-09 15:03 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-09 14:56 [PATCH v2 00/25] drm/dumb-buffers: Fix and improve buffer-size calculation Thomas Zimmermann
2025-01-09 14:56 ` Thomas Zimmermann [this message]
2025-01-09 14:56 ` [PATCH v2 02/25] drm/dumb-buffers: Provide helper to set pitch and size Thomas Zimmermann
2025-01-10 1:49 ` Andy Yan
2025-01-10 13:23 ` [PATCH " Thomas Zimmermann
2025-01-13 3:53 ` Andy Yan
2025-01-13 7:52 ` Thomas Zimmermann
2025-01-09 14:56 ` [PATCH v2 03/25] drm/gem-dma: Compute dumb-buffer sizes with drm_mode_size_dumb() Thomas Zimmermann
2025-01-09 14:56 ` [PATCH v2 04/25] drm/gem-shmem: " Thomas Zimmermann
2025-01-09 14:56 ` [PATCH v2 05/25] drm/gem-vram: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 06/25] drm/armada: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 07/25] drm/exynos: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 08/25] drm/gma500: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 09/25] drm/hibmc: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 10/25] drm/imx/ipuv3: " Thomas Zimmermann
2025-01-10 8:06 ` Philipp Zabel
2025-01-09 14:57 ` [PATCH v2 11/25] drm/loongson: " Thomas Zimmermann
2025-01-15 3:50 ` Sui Jingfeng
2025-01-09 14:57 ` [PATCH v2 12/25] drm/mediatek: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 13/25] drm/msm: " Thomas Zimmermann
2025-01-13 8:25 ` Dmitry Baryshkov
2025-01-09 14:57 ` [PATCH v2 14/25] drm/nouveau: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 15/25] drm/omapdrm: " Thomas Zimmermann
2025-01-14 14:04 ` Tomi Valkeinen
2025-01-09 14:57 ` [PATCH v2 16/25] drm/qxl: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 17/25] drm/renesas/rcar-du: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 18/25] drm/renesas/rz-du: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 19/25] drm/rockchip: " Thomas Zimmermann
2025-01-09 22:59 ` Heiko Stübner
2025-01-09 14:57 ` [PATCH v2 20/25] drm/tegra: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 21/25] drm/virtio: " Thomas Zimmermann
2025-02-20 16:10 ` Dmitry Osipenko
2025-01-09 14:57 ` [PATCH v2 22/25] drm/vmwgfx: " Thomas Zimmermann
2025-01-10 18:18 ` Zack Rusin
2025-01-09 14:57 ` [PATCH v2 23/25] drm/xe: " Thomas Zimmermann
2025-01-09 16:05 ` Matthew Auld
2025-01-09 16:26 ` Thomas Zimmermann
2025-01-09 17:15 ` Matthew Auld
2025-01-09 14:57 ` [PATCH v2 24/25] drm/xen: " Thomas Zimmermann
2025-01-09 14:57 ` [PATCH v2 25/25] drm/xlnx: " Thomas Zimmermann
2025-01-15 10:13 ` Tomi Valkeinen
2025-01-15 10:26 ` Thomas Zimmermann
2025-01-15 10:58 ` Tomi Valkeinen
2025-01-15 11:37 ` Thomas Zimmermann
2025-01-15 12:06 ` Tomi Valkeinen
2025-01-15 12:34 ` Thomas Zimmermann
2025-01-15 13:33 ` Tomi Valkeinen
2025-01-15 13:45 ` Thomas Zimmermann
2025-01-15 14:20 ` Tomi Valkeinen
2025-01-15 14:34 ` Daniel Stone
2025-01-16 8:43 ` Laurent Pinchart
2025-01-16 9:38 ` Laurent Pinchart
2025-01-16 10:07 ` Tomi Valkeinen
2025-01-19 17:08 ` Laurent Pinchart
2025-01-16 8:09 ` Thomas Zimmermann
2025-01-16 10:03 ` Tomi Valkeinen
2025-01-16 10:17 ` Geert Uytterhoeven
2025-01-16 10:26 ` Tomi Valkeinen
2025-01-16 10:35 ` Dmitry Baryshkov
2025-01-16 12:24 ` Daniel Stone
2025-01-19 11:29 ` Sui Jingfeng
2025-01-19 12:18 ` Tomi Valkeinen
2025-01-19 14:59 ` Sui Jingfeng
2025-01-19 15:22 ` Tomi Valkeinen
2025-01-19 16:26 ` Sui Jingfeng
2025-01-19 20:14 ` Laurent Pinchart
2025-01-20 7:04 ` Sui Jingfeng
2025-01-20 3:34 ` Sui Jingfeng
2025-01-20 7:49 ` Thomas Zimmermann
2025-01-20 8:51 ` Tomi Valkeinen
2025-01-20 8:57 ` Thomas Zimmermann
2025-01-20 7:54 ` Thomas Zimmermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250109150310.219442-2-tzimmermann@suse.de \
--to=tzimmermann@suse.de \
--cc=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=imx@lists.linux.dev \
--cc=intel-xe@lists.freedesktop.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=nouveau@lists.freedesktop.org \
--cc=simona@ffwll.ch \
--cc=spice-devel@lists.freedesktop.org \
--cc=virtualization@lists.linux.dev \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).