| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210301104239.GQ2087@kadam>
Date: Mon, 1 Mar 2021 13:42:39 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Rob Clark <robdclark@...omium.org>
Cc: lkp@...el.com, kbuild-all@...ts.01.org,
linux-kernel@...r.kernel.org,
"Kristian H. Kristensen" <hoegsberg@...gle.com>
Subject: drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn:
impossible condition '(sz == (~0)) => (0-u32max == u64max)'
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8
commit: 20224d715a882210428ea62bba93f1bc4a0afe23 drm/msm/submit: Move copy_from_user ahead of locking bos
config: arm64-randconfig-m031-20210301 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
smatch warnings:
drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn: impossible condition '(sz == (~0)) => (0-u32max == u64max)'
vim +202 drivers/gpu/drm/msm/msm_gem_submit.c
20224d715a8822 Rob Clark 2020-10-23 158 static int submit_lookup_cmds(struct msm_gem_submit *submit,
20224d715a8822 Rob Clark 2020-10-23 159 struct drm_msm_gem_submit *args, struct drm_file *file)
20224d715a8822 Rob Clark 2020-10-23 160 {
20224d715a8822 Rob Clark 2020-10-23 161 unsigned i, sz;
20224d715a8822 Rob Clark 2020-10-23 162 int ret = 0;
20224d715a8822 Rob Clark 2020-10-23 163
20224d715a8822 Rob Clark 2020-10-23 164 for (i = 0; i < args->nr_cmds; i++) {
20224d715a8822 Rob Clark 2020-10-23 165 struct drm_msm_gem_submit_cmd submit_cmd;
20224d715a8822 Rob Clark 2020-10-23 166 void __user *userptr =
20224d715a8822 Rob Clark 2020-10-23 167 u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
20224d715a8822 Rob Clark 2020-10-23 168
20224d715a8822 Rob Clark 2020-10-23 169 ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
20224d715a8822 Rob Clark 2020-10-23 170 if (ret) {
20224d715a8822 Rob Clark 2020-10-23 171 ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23 172 goto out;
20224d715a8822 Rob Clark 2020-10-23 173 }
20224d715a8822 Rob Clark 2020-10-23 174
20224d715a8822 Rob Clark 2020-10-23 175 /* validate input from userspace: */
20224d715a8822 Rob Clark 2020-10-23 176 switch (submit_cmd.type) {
20224d715a8822 Rob Clark 2020-10-23 177 case MSM_SUBMIT_CMD_BUF:
20224d715a8822 Rob Clark 2020-10-23 178 case MSM_SUBMIT_CMD_IB_TARGET_BUF:
20224d715a8822 Rob Clark 2020-10-23 179 case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
20224d715a8822 Rob Clark 2020-10-23 180 break;
20224d715a8822 Rob Clark 2020-10-23 181 default:
20224d715a8822 Rob Clark 2020-10-23 182 DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
20224d715a8822 Rob Clark 2020-10-23 183 return -EINVAL;
20224d715a8822 Rob Clark 2020-10-23 184 }
20224d715a8822 Rob Clark 2020-10-23 185
20224d715a8822 Rob Clark 2020-10-23 186 if (submit_cmd.size % 4) {
20224d715a8822 Rob Clark 2020-10-23 187 DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
20224d715a8822 Rob Clark 2020-10-23 188 submit_cmd.size);
20224d715a8822 Rob Clark 2020-10-23 189 ret = -EINVAL;
20224d715a8822 Rob Clark 2020-10-23 190 goto out;
20224d715a8822 Rob Clark 2020-10-23 191 }
20224d715a8822 Rob Clark 2020-10-23 192
20224d715a8822 Rob Clark 2020-10-23 193 submit->cmd[i].type = submit_cmd.type;
20224d715a8822 Rob Clark 2020-10-23 194 submit->cmd[i].size = submit_cmd.size / 4;
20224d715a8822 Rob Clark 2020-10-23 195 submit->cmd[i].offset = submit_cmd.submit_offset / 4;
20224d715a8822 Rob Clark 2020-10-23 196 submit->cmd[i].idx = submit_cmd.submit_idx;
20224d715a8822 Rob Clark 2020-10-23 197 submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
20224d715a8822 Rob Clark 2020-10-23 198
20224d715a8822 Rob Clark 2020-10-23 199 sz = array_size(submit_cmd.nr_relocs,
20224d715a8822 Rob Clark 2020-10-23 200 sizeof(struct drm_msm_gem_submit_reloc));
20224d715a8822 Rob Clark 2020-10-23 201 /* check for overflow: */
20224d715a8822 Rob Clark 2020-10-23 @202 if (sz == SIZE_MAX) {
^^^^^^^^^^^^^^
"sz" is an u32 so it can't equal ULONG_MAX on 64 bit systems. I would
just leave this check out and let kmalloc() fail with a splat.
20224d715a8822 Rob Clark 2020-10-23 203 ret = -ENOMEM;
20224d715a8822 Rob Clark 2020-10-23 204 goto out;
20224d715a8822 Rob Clark 2020-10-23 205 }
20224d715a8822 Rob Clark 2020-10-23 206 submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL);
20224d715a8822 Rob Clark 2020-10-23 207 ret = copy_from_user(submit->cmd[i].relocs, userptr, sz);
20224d715a8822 Rob Clark 2020-10-23 208 if (ret) {
20224d715a8822 Rob Clark 2020-10-23 209 ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23 210 goto out;
20224d715a8822 Rob Clark 2020-10-23 211 }
The zero day bot will probably send you an email suggesting memdup_user()
here:
tmp = memdup_user(userptr, sz);
if (IS_ERR(copy)) {
ret = PTR_ERR(tmp);
goto out;
}
submit->cmd[i].relocs = tmp;
20224d715a8822 Rob Clark 2020-10-23 212 }
20224d715a8822 Rob Clark 2020-10-23 213
20224d715a8822 Rob Clark 2020-10-23 214 out:
20224d715a8822 Rob Clark 2020-10-23 215 return ret;
20224d715a8822 Rob Clark 2020-10-23 216 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (33418 bytes)
Powered by blists - more mailing lists