lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Aug 2020 14:59:24 +0300 From: Oded Gabbay <oded.gabbay@...il.com> To: linux-kernel@...r.kernel.org, SW_Drivers@...ana.ai Cc: Ofir Bitton <obitton@...ana.ai> Subject: [PATCH 1/2] habanalabs: Validate user address before mapping From: Ofir Bitton <obitton@...ana.ai> User address must be validated before driver performs address map. Signed-off-by: Ofir Bitton <obitton@...ana.ai> Reviewed-by: Oded Gabbay <oded.gabbay@...il.com> Signed-off-by: Oded Gabbay <oded.gabbay@...il.com> --- drivers/misc/habanalabs/common/command_buffer.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/misc/habanalabs/common/command_buffer.c b/drivers/misc/habanalabs/common/command_buffer.c index 7c38c4f7f9c0..a8004911c977 100644 --- a/drivers/misc/habanalabs/common/command_buffer.c +++ b/drivers/misc/habanalabs/common/command_buffer.c @@ -10,6 +10,7 @@ #include <linux/mm.h> #include <linux/slab.h> +#include <linux/uaccess.h> #include <linux/genalloc.h> static void cb_fini(struct hl_device *hdev, struct hl_cb *cb) @@ -300,7 +301,7 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) struct hl_device *hdev = hpriv->hdev; struct hl_cb *cb; phys_addr_t address; - u32 handle; + u32 handle, user_cb_size; int rc; handle = vma->vm_pgoff; @@ -314,7 +315,8 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) } /* Validation check */ - if ((vma->vm_end - vma->vm_start) != ALIGN(cb->size, PAGE_SIZE)) { + user_cb_size = vma->vm_end - vma->vm_start; + if (user_cb_size != ALIGN(cb->size, PAGE_SIZE)) { dev_err(hdev->dev, "CB mmap failed, mmap size 0x%lx != 0x%x cb size\n", vma->vm_end - vma->vm_start, cb->size); @@ -322,6 +324,16 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) goto put_cb; } + if (!access_ok((void __user *) (uintptr_t) vma->vm_start, + user_cb_size)) { + dev_err(hdev->dev, + "user pointer is invalid - 0x%lx\n", + vma->vm_start); + + rc = -EINVAL; + goto put_cb; + } + spin_lock(&cb->lock); if (cb->mmap) { -- 2.17.1
Powered by blists - more mailing lists