[PATCH] drm: Restrict ioctl size to kernel struct size

[Chris Wilson]

Prevent the user from passing in an ioctl command with up to 16,383
bytes specified for the struct to be allocated and copied, and
instead only allocate enough space to satisfy the kernel.

Suggested-by: Pavel Roskin <proski at gnu.org>
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Cc: Pavel Roskin <proski at gnu.org>
Cc: dri-devel at lists.freedesktop.org
---
 drivers/gpu/drm/drm_drv.c | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 05ad9ba0a67e..8c5fbc9d41ad 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -354,6 +354,16 @@ static int drm_version(struct drm_device *dev, void *data,
 	return err;
 }
 
+static unsigned ioctl_size(unsigned kcmd, unsigned ucmd, unsigned *ksize, unsigned *usize)
+{
+	*ksize = _IOC_SIZE(kcmd);
+	*usize = _IOC_SIZE(ucmd);
+	if (*usize > *ksize)
+		*usize = *ksize;
+
+	return kcmd;
+}
+
 /**
  * Called whenever a process performs an ioctl on /dev/drm.
  *
@@ -393,25 +403,11 @@ long drm_ioctl(struct file *filp,
 		goto err_i1;
 	if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
 	    (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) {
-		u32 drv_size;
 		ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
-		drv_size = _IOC_SIZE(ioctl->cmd_drv);
-		usize = asize = _IOC_SIZE(cmd);
-		if (drv_size > asize)
-			asize = drv_size;
-		cmd = ioctl->cmd_drv;
-	}
-	else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
-		u32 drv_size;
-
+		cmd = ioctl_size(ioctl->cmd_drv, cmd, &asize, &usize);
+	} else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
 		ioctl = &drm_ioctls[nr];
-
-		drv_size = _IOC_SIZE(ioctl->cmd);
-		usize = asize = _IOC_SIZE(cmd);
-		if (drv_size > asize)
-			asize = drv_size;
-
-		cmd = ioctl->cmd;
+		cmd = ioctl_size(ioctl->cmd, cmd, &asize, &usize);
 	} else
 		goto err_i1;
 
-- 
1.8.4.rc3