[Intel-xe] [PATCH 1/2 v2] drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl
Souza, Jose
jose.souza at intel.com
Tue Jun 27 18:17:12 UTC 2023
On Mon, 2023-06-26 at 14:22 -0700, Paulo Zanoni wrote:
> There's this shared machine running xe.ko and I often log in to see my
> tmux corrupted by messages such as:
>
> usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446660151965198754)!
>
> I also sometimes see:
>
> kernel BUG at mm/usercopy.c:102!
>
> Someone is running a program that's definitely submitting random
> numbers to this ioctl. If you pass width=65535 and
> num_placements=32769 then you get a negative 'len', which avoids the
> EINVAL check, leading to the bug.
>
> Switch 'len' to u32. It is the result of the multiplication of two u16
> numbers, so it won't be able to overflow back into smaller numbers as
> an u32.
>
> Very simple reproducer:
> https://people.freedesktop.org/~pzanoni/engine-create-bug/
>
> v2: Make len u32 instead of checking for <=0 (José).
>
Reviewed-by: José Roberto de Souza <jose.souza at intel.com>
> Signed-off-by: Paulo Zanoni <paulo.r.zanoni at intel.com>
> ---
> drivers/gpu/drm/xe/xe_engine.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_engine.c b/drivers/gpu/drm/xe/xe_engine.c
> index 6e6b2913f766..530f55a33b03 100644
> --- a/drivers/gpu/drm/xe/xe_engine.c
> +++ b/drivers/gpu/drm/xe/xe_engine.c
> @@ -522,7 +522,7 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data,
> struct xe_engine *e = NULL;
> u32 logical_mask;
> u32 id;
> - int len;
> + u32 len;
> int err;
>
> if (XE_IOCTL_ERR(xe, args->flags) ||
More information about the Intel-xe
mailing list