[Intel-xe] [PATCH 1/2 v2] drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl
Matthew Brost
matthew.brost at intel.com
Mon Jun 26 22:25:22 UTC 2023
On Mon, Jun 26, 2023 at 02:22:20PM -0700, Paulo Zanoni wrote:
> There's this shared machine running xe.ko and I often log in to see my
> tmux corrupted by messages such as:
>
> usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446660151965198754)!
>
> I also sometimes see:
>
> kernel BUG at mm/usercopy.c:102!
>
> Someone is running a program that's definitely submitting random
> numbers to this ioctl. If you pass width=65535 and
> num_placements=32769 then you get a negative 'len', which avoids the
> EINVAL check, leading to the bug.
>
> Switch 'len' to u32. It is the result of the multiplication of two u16
> numbers, so it won't be able to overflow back into smaller numbers as
> an u32.
>
> Very simple reproducer:
> https://people.freedesktop.org/~pzanoni/engine-create-bug/
>
> v2: Make len u32 instead of checking for <=0 (José).
>
> Signed-off-by: Paulo Zanoni <paulo.r.zanoni at intel.com>
Reviewed-by: Matthew Brost <matthew.brost at intel.com>
> ---
> drivers/gpu/drm/xe/xe_engine.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_engine.c b/drivers/gpu/drm/xe/xe_engine.c
> index 6e6b2913f766..530f55a33b03 100644
> --- a/drivers/gpu/drm/xe/xe_engine.c
> +++ b/drivers/gpu/drm/xe/xe_engine.c
> @@ -522,7 +522,7 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data,
> struct xe_engine *e = NULL;
> u32 logical_mask;
> u32 id;
> - int len;
> + u32 len;
> int err;
>
> if (XE_IOCTL_ERR(xe, args->flags) ||
> --
> 2.39.2
>
More information about the Intel-xe
mailing list