[PATCH v2 7/8] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
Thierry Reding
thierry.reding at gmail.com
Thu Nov 6 07:49:20 PST 2014
From: Thierry Reding <treding at nvidia.com>
Some drivers treat the pitch and size fields as inputs and will use them
as minima provided by userspace so that they are only overwritten if the
minimal requirements of the driver exceed them.
This can cause strange behaviour when applications don't zero out these
fields, causing whatever was on the stack to be passed to the IOCTL. In
a typical case this would become visible as a failed allocation if the
pitch or size were unusually high. But this could also cause more subtle
bugs like overallocating dumb framebuffers.
To prevent drivers from misusing these values, make the DRM core zero
out the pitch and size fields before passing the structure to the driver
implementation.
While at it, also set the output handle field to zero for good measure,
even though it's less likely to be abused.
Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Signed-off-by: Thierry Reding <treding at nvidia.com>
---
Changes in v2:
- add a comment about why we can't simply reject non-zero output fields
---
drivers/gpu/drm/drm_crtc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 0f3c24c0981b..4d7a7699772d 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4755,6 +4755,16 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
if (PAGE_ALIGN(size) == 0)
return -EINVAL;
+ /*
+ * handle, pitch and size are output parameters. Zero them out to
+ * prevent drivers from accidentally using uninitialized data. Since
+ * not all existing userspace is clearing these fields properly we
+ * cannot reject IOCTL with garbage in them.
+ */
+ args->handle = 0;
+ args->pitch = 0;
+ args->size = 0;
+
return dev->driver->dumb_create(file_priv, dev, args);
}
--
2.1.3
More information about the dri-devel
mailing list