[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e3005eb6-e37f-bbb1-446b-15b2bc02b69f@amd.com>
Date: Wed, 19 Apr 2023 10:37:34 +0200
From: Christian König <christian.koenig@....com>
To: hackyzh002 <hackyzh002@...il.com>, alexander.deucher@....com
Cc: Xinhui.Pan@....com, airlied@...il.com, daniel@...ll.ch,
sumit.semwal@...aro.org, amd-gfx@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org
Subject: Re: [PATCH 1/2] drm/radeon: Fix integer overflow in
radeon_cs_parser_init
Am 19.04.23 um 06:24 schrieb hackyzh002:
> The type of size is unsigned, if size is 0x40000000, there will be an
> integer overflow, size will be zero after size *= sizeof(uint32_t),
> will cause uninitialized memory to be referenced later
Well good catch, but this is actually harmless.
Userspace can control the memory which is referenced here anyway and
since the size would be zero when copying anything back to userspace
this is also not an information leak.
>
> Signed-off-by: hackyzh002 <hackyzh002@...il.com>
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index 46a27ebf4..472c29050 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -270,7 +270,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
> {
> struct drm_radeon_cs *cs = data;
> uint64_t *chunk_array_ptr;
> - unsigned size, i;
> + u64 size, i;
Please use size_t for size only and not "i".
> u32 ring = RADEON_CS_RING_GFX;
> s32 priority = 0;
>
> @@ -347,7 +347,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
> continue;
> }
>
> - p->chunks[i].kdata = kvmalloc_array(size, sizeof(uint32_t), GFP_KERNEL);
> + p->chunks[i].kdata = kvcalloc(size, sizeof(uint32_t), GFP_KERNEL);
Please drop that chunk.
Regards,
Christian.
> size *= sizeof(uint32_t);
> if (p->chunks[i].kdata == NULL) {
> return -ENOMEM;
Powered by blists - more mailing lists