[PATCH] drm: Limit to INT_MAX in create_blob ioctl

Daniel Vetter daniel.vetter at ffwll.ch
Wed Nov 6 17:56:12 UTC 2019 

On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook at chromium.org> wrote:
>
> On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> > The hardened usercpy code is too paranoid ever since:
> >
> > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> > Author: Kees Cook <keescook at chromium.org>
> > Date:   Wed Nov 6 16:07:01 2019 +1100
> >
> >     uaccess: disallow > INT_MAX copy sizes
> >
> > Code itself should have been fine as-is.
>
> I had to go read the syzbot report to understand what was actually being
> fixed here. Can you be a bit more verbose in this commit log? It sounds
> like huge usercopy sizes were allowed by drm (though I guess they would
> fail gracefully in some other way?) but after 6a30afa8c1fb, the copy
> would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ?

The WARNING seems to have been the only bad effect. I guess in
practice the real big stuff fails at memory allocation time, but
shouldn't overflow. Or maybe I still don't get how this C thing works.
Anyway I figured the cited patch is good enough, userptr copies >
INT_MAX aren't allowed anymore, so we need to adjust our overflow
checks.
-Daniel

> What was the prior failure mode that made the existing ULONG_MAX check
> safe? Your patch looks fine, though:
>
> Reviewed-by: Kees Cook <keescook at chromium.org>
>
> > Reported-by: syzbot+fb77e97ebf0612ee6914 at syzkaller.appspotmail.com
> > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> > Cc: Kees Cook <keescook at chromium.org>
> > Cc: Alexander Viro <viro at zeniv.linux.org.uk>
> > Cc: Andrew Morton <akpm at linux-foundation.org>
> > Cc: Stephen Rothwell <sfr at canb.auug.org.au>
> > Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
> > --
> > Kees/Andrew,
> >
> > Since this is -mm can I have a stable sha1 or something for
> > referencing? Or do you want to include this in the -mm patch bomb for
> > the merge window?
>
> Traditionally these things live in akpm's tree when they are fixes for
> patches in there. I have no idea how the Fixes tags work in that case,
> though...
>
> -Kees
>
> > -Daniel
> > ---
> >  drivers/gpu/drm/drm_property.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> > index 892ce636ef72..6ee04803c362 100644
> > --- a/drivers/gpu/drm/drm_property.c
> > +++ b/drivers/gpu/drm/drm_property.c
> > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> >       struct drm_property_blob *blob;
> >       int ret;
> >
> > -     if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> > +     if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> >               return ERR_PTR(-EINVAL);
> >
> >       blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> > --
> > 2.24.0.rc2
> >
>
> --
> Kees Cook



-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

More information about the dri-devel mailing list