From: Eric Anholt <eric@anholt.net>

To: dri-devel@lists.freedesktop.org

Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary

 allocation layout.

Date: Wed, 18 Jan 2017 07:20:49 +1100

We copy the unvalidated ioctl arguments from the user into kernel

temporary memory to run the validation from, to avoid a race where the

user updates the unvalidate contents in between validating them and

copying them into the validated BO.

However, in setting up the layout of the kernel side, we failed to

check one of the additions (the roundup() for shader_rec_offset)

against integer overflow, allowing a nearly MAX_UINT value of

bin_cl_size to cause us to under-allocate the temporary space that we

then copy_from_user into.

Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>

Signed-off-by: Eric Anholt <eric@anholt.net>

Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")

---

 drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c

index db920771bfb5..c5fe3554858e 100644

--- a/drivers/gpu/drm/vc4/vc4_gem.c

+++ b/drivers/gpu/drm/vc4/vc4_gem.c

@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)

 					  args->shader_rec_count);

 	struct vc4_bo *bo;

-	if (uniforms_offset < shader_rec_offset ||

+	if (shader_rec_offset < args->bin_cl_size ||

+	    uniforms_offset < shader_rec_offset ||

 	    exec_size < uniforms_offset ||

 	    args->shader_rec_count >= (UINT_MAX /

 					  sizeof(struct vc4_shader_state)) ||

-- 

2.11.0

_______________________________________________

dri-devel mailing list

dri-devel@lists.freedesktop.org

https://lists.freedesktop.org/mailman/listinfo/dri-devel

From: Eric Anholt <eric@anholt.net>

To: dri-devel@lists.freedesktop.org

Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.

Date: Wed, 18 Jan 2017 07:20:50 +1100

By failing to set the errno, we'd continue on to trying to set up the

RCL, and then oops on trying to dereference the tile_bo that binning

validation should have set up.

Reported-by: Ingo Molnar <mingo@kernel.org>

Signed-off-by: Eric Anholt <eric@anholt.net>

Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")

---

 drivers/gpu/drm/vc4/vc4_gem.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c

index c5fe3554858e..ab3016982466 100644

--- a/drivers/gpu/drm/vc4/vc4_gem.c

+++ b/drivers/gpu/drm/vc4/vc4_gem.c

@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)

 					  sizeof(struct vc4_shader_state)) ||

 	    temp_size < exec_size) {

 		DRM_ERROR("overflow in exec arguments\n");

+		ret = -EINVAL;

 		goto fail;

 	}

-- 

2.11.0

_______________________________________________

dri-devel mailing list

dri-devel@lists.freedesktop.org

https://lists.freedesktop.org/mailman/listinfo/dri-devel