[Intel-gfx] [PATCH v4] drm/i915: Prevent overflow of execbuf.buffer_count and num_cliprects
Tvrtko Ursulin
tvrtko.ursulin at linux.intel.com
Thu Nov 16 09:44:20 UTC 2017
On 16/11/2017 09:36, Chris Wilson wrote:
> Quoting Tvrtko Ursulin (2017-11-16 09:00:08)
>>
>> On 15/11/2017 16:08, Chris Wilson wrote:
>>> @@ -2083,14 +2083,14 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>>> if (!(args->flags & I915_EXEC_FENCE_ARRAY))
>>> return NULL;
>>>
>>> - if (nfences > SIZE_MAX / sizeof(*fences))
>>> + if (nfences > SIZE_MAX / max(sizeof(*fences), sizeof(*user)))
>>> return ERR_PTR(-EINVAL);
>>
>> This check is just to stay in some reasonable limits, yes? Doesn't seem
>> to be directly related to the implementation below. I am not saying we
>> should allow more fences, just wondering whether it is worthy of a
>> comment? And maybe in that case it is not -EINVAL (ABI) but -ENOMEM (to
>> fake implementation cannot support it / doesn't want to support it)?
>> Assuming I did not miss something.
>
>>> user = u64_to_user_ptr(args->cliprects_ptr);
>>> - if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
>>> + if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user)))
>>> return ERR_PTR(-EFAULT);
>>>
>
> For access_ok we use nfences * sizeof(*user), therefore we have to make
> sure that doesn't overflow and produce small value which then passes the
> check and allows the caller to wander off into the badlands. So really
> the question is it EFAULT for the invalid pointer or EINVAL or the
> unusable parameters. We've (I've) taken the stance that we wanted to
> differentiate between the parameters being bogus and the result of using
> those parameters being bogus.
Oh right.. but looking at access_ok it seems that it is working with
unsigned longs. Not that it is documents explicitly, it is just a macro
and happens to use that under the covers (and via mm_segment_t type as
well). So it happens to match with size_t, but perhaps it indeed
warrants a comment and changing it to ULONG_MAX.
Regards,
Tvrtko
More information about the Intel-gfx
mailing list