lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 29 Jul 2013 20:21:49 -0400
From:	Dave Jones <davej@...hat.com>
To:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc:	maarten.lankhorst@...onical.com, bskeggs@...hat.com
Subject: Re: drm/nouveau: do not allow negative sizes for now

On Tue, Jul 23, 2013 at 11:08:14PM +0000, Linux Kernel wrote:
 > Gitweb:     http://git.kernel.org/linus/;a=commit;h=0108bc808107b97e101b15af9705729626be6447
 > Commit:     0108bc808107b97e101b15af9705729626be6447
 > Author:     Maarten Lankhorst <maarten.lankhorst@...onical.com>
 > AuthorDate: Sun Jul 7 10:40:19 2013 +0200
 > Committer:  Ben Skeggs <bskeggs@...hat.com>
 > CommitDate: Wed Jul 10 10:48:07 2013 +1000
 > 
 >     drm/nouveau: do not allow negative sizes for now
 >     
 >     The API allows up to 64-bits allocations, but size is handled as int
 >     inside nouveau almost everywhere. Until this is fixed it's better to
 >     prevent negative sizes.
 >     
 >     The 256 kB before INT_MAX is paranoia, because of the large page
 >     aligning below that could flip it above INT_MAX.
 > 
 > diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
 > index 459a445..4e7ee5f 100644
 > --- a/drivers/gpu/drm/nouveau/nouveau_bo.c
 > +++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
 > @@ -198,6 +198,12 @@ nouveau_bo_new(struct drm_device *dev, int size, int align,
 >  	size_t acc_size;
 >  	int ret;
 >  	int type = ttm_bo_type_device;
 > +	int max_size = INT_MAX & ~((1 << drm->client.base.vm->vmm->lpg_shift) - 1);
 > +
 > +	if (size <= 0 || size > max_size) {
 > +		nv_warn(drm, "skipped size %x\n", (u32)size);
 > +		return -EINVAL;
 > +	}
 >  
 >  	if (sg)
 >  		type = ttm_bo_type_sg;

A few more lines down..

 222         if (drm->client.base.vm) {
 223                 if (!(flags & TTM_PL_FLAG_TT) && size > 256 * 1024)

Which implies we may now be dereferencing NULL in some situations.
Either the check needs moving higher, or removing.

Can we get here with a NULL client.base.vm ? 

	Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ