[PATCH] drm/amdkfd: Integer overflows in ioctl
Oded Gabbay
oded.gabbay at gmail.com
Fri May 11 20:17:14 UTC 2018
On Tue, Apr 24, 2018 at 9:58 PM, Felix Kuehling <felix.kuehling at amd.com> wrote:
> Reviewed-by: Felix Kuehling <Felix.Kuehling at amd.com>
>
> We could probably add a sanity check for n_devices to avoid user mode
> causing excessive memory allocations in the kernel. There is no good
> reason for this to be bigger than the number of GPUs in the system. The
> maximum number of GPUs supported due to device minor limit in DRM is 128.
>
> Regards,
> Felix
>
>
> On 2018-04-24 09:35 AM, Dan Carpenter wrote:
>> args->n_devices is a u32 that comes from the user. The multiplication
>> could overflow on 32 bit systems possibly leading to privilege
>> escalation.
>>
>> Fixes: 5ec7e02854b3 ("drm/amdkfd: Add ioctls for GPUVM memory management")
>> Signed-off-by: Dan Carpenter dan.carpenter at oracle.com>
>>
>> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> index cd679cf1fd30..ce36e556da38 100644
>> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
>> @@ -1295,8 +1295,8 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
>> return -EINVAL;
>> }
>>
>> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
>> - GFP_KERNEL);
>> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
>> + GFP_KERNEL);
>> if (!devices_arr)
>> return -ENOMEM;
>>
>> @@ -1404,8 +1404,8 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
>> return -EINVAL;
>> }
>>
>> - devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
>> - GFP_KERNEL);
>> + devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
>> + GFP_KERNEL);
>> if (!devices_arr)
>> return -ENOMEM;
>>
>
Thanks!
Patch applied to amdkfd-fixes
Oded
More information about the amd-gfx
mailing list