lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e3005eb6-e37f-bbb1-446b-15b2bc02b69f@amd.com>
Date:   Wed, 19 Apr 2023 10:37:34 +0200
From:   Christian König <christian.koenig@....com>
To:     hackyzh002 <hackyzh002@...il.com>, alexander.deucher@....com
Cc:     Xinhui.Pan@....com, airlied@...il.com, daniel@...ll.ch,
        sumit.semwal@...aro.org, amd-gfx@...ts.freedesktop.org,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org
Subject: Re: [PATCH 1/2] drm/radeon: Fix integer overflow in
 radeon_cs_parser_init

Am 19.04.23 um 06:24 schrieb hackyzh002:
> The type of size is unsigned, if size is 0x40000000, there will be an
> integer overflow, size will be zero after size *= sizeof(uint32_t),
> will cause uninitialized memory to be referenced later

Well good catch, but this is actually harmless.

Userspace can control the memory which is referenced here anyway and 
since the size would be zero when copying anything back to userspace 
this is also not an information leak.

>
> Signed-off-by: hackyzh002 <hackyzh002@...il.com>
> ---
>   drivers/gpu/drm/radeon/radeon_cs.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index 46a27ebf4..472c29050 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -270,7 +270,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
>   {
>   	struct drm_radeon_cs *cs = data;
>   	uint64_t *chunk_array_ptr;
> -	unsigned size, i;
> +	u64 size, i;

Please use size_t for size only and not "i".

>   	u32 ring = RADEON_CS_RING_GFX;
>   	s32 priority = 0;
>   
> @@ -347,7 +347,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
>   				continue;
>   		}
>   
> -		p->chunks[i].kdata = kvmalloc_array(size, sizeof(uint32_t), GFP_KERNEL);
> +		p->chunks[i].kdata = kvcalloc(size, sizeof(uint32_t), GFP_KERNEL);

Please drop that chunk.

Regards,
Christian.

>   		size *= sizeof(uint32_t);
>   		if (p->chunks[i].kdata == NULL) {
>   			return -ENOMEM;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ