lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191106170317.GU1208@intel.com>
Date:   Wed, 6 Nov 2019 19:03:17 +0200
From:   Ville Syrjälä <ville.syrjala@...ux.intel.com>
To:     Daniel Vetter <daniel.vetter@...ll.ch>
Cc:     DRI Development <dri-devel@...ts.freedesktop.org>,
        Stephen Rothwell <sfr@...b.auug.org.au>,
        syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com,
        Kees Cook <keescook@...omium.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Daniel Vetter <daniel.vetter@...el.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl

On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
> 
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@...omium.org>
> Date:   Wed Nov 6 16:07:01 2019 +1100
> 
>     uaccess: disallow > INT_MAX copy sizes
> 
> Code itself should have been fine as-is.
> 
> Reported-by: syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Andrew Morton <akpm@...ux-foundation.org>
> Cc: Stephen Rothwell <sfr@...b.auug.org.au>
> Signed-off-by: Daniel Vetter <daniel.vetter@...el.com>
> --
> Kees/Andrew,
> 
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
> -Daniel
> ---
>  drivers/gpu/drm/drm_property.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
>  	struct drm_property_blob *blob;
>  	int ret;
>  
> -	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> +	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
>  		return ERR_PTR(-EINVAL);

INT_MAX should be more than enough.

Reviewed-by: Ville Syrjälä <ville.syrjala@...ux.intel.com>

>  
>  	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> -- 
> 2.24.0.rc2
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@...ts.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Ville Syrjälä
Intel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ