lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <714daae5-b95c-425e-afe2-3b107033e493@fintech.ru>
Date: Wed, 14 Aug 2024 06:48:14 -0700
From: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
To: Alex Deucher <alexander.deucher@....com>, Christian König
	<christian.koenig@....com>, Xinhui Pan <Xinhui.Pan@....com>, David Airlie
	<airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>
CC: Jerome Glisse <jglisse@...hat.com>, Dave Airlie <airlied@...hat.com>,
	<amd-gfx@...ts.freedesktop.org>, <dri-devel@...ts.freedesktop.org>,
	<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>,
	<n.zhandarovich@...tech.ru>
Subject: Re: [PATCH v2] drm/radeon/evergreen_cs: fix int overflow errors in cs
 track offsets

Hi,

On 8/6/24 10:19, Nikita Zhandarovich wrote:
> Several cs track offsets (such as 'track->db_s_read_offset')
> either are initialized with or plainly take big enough values that,
> once shifted 8 bits left, may be hit with integer overflow if the
> resulting values end up going over u32 limit.
> 
> Same goes for a few instances of 'surf.layer_size * mslice'
> multiplications that are added to 'offset' variable - they may
> potentially overflow as well and need to be validated properly.
> 
> While some debug prints in this code section take possible overflow
> issues into account, simply casting to (unsigned long) may be
> erroneous in its own way, as depending on CPU architecture one is
> liable to get different results.
> 
> Fix said problems by:
>  - casting 'offset' to fixed u64 data type instead of
>  ambiguous unsigned long.
>  - casting one of the operands in vulnerable to integer
>  overflow cases to u64.
>  - adjust format specifiers in debug prints to properly
>  represent 'offset' values.
> 
> Found by Linux Verification Center (linuxtesting.org) with static
> analysis tool SVACE.
> 
> Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11")
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
> ---
> v2:
> - change data type to cast from unsigned long to u64 per Alex's and
> Christian's suggestion:
> https://lore.kernel.org/all/CADnq5_NaMr+vpqwqhsMoSeGrto2Lw5v0KXWEp2HRK=++orScMg@mail.gmail.com/
> - include validation of surf.layer_size * mslice per Christian's
> approval:
> https://lore.kernel.org/all/1914cfcb-9700-4274-8120-9746e241cb54@amd.com/
> - change format specifiers when printing 'offset' value.
> - fix commit description to reflect patch changes.
> 
> v1:
> https://lore.kernel.org/all/20240725180950.15820-1-n.zhandarovich@fintech.ru/
> 
>  drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++++++------------------
>  1 file changed, 31 insertions(+), 31 deletions(-)
> 
> diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
> index e5577d2a19ef..a46613283393 100644
> --- a/drivers/gpu/drm/radeon/evergreen_cs.c
> +++ b/drivers/gpu/drm/radeon/evergreen_cs.c
> @@ -397,7 +397,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
>  	struct evergreen_cs_track *track = p->track;
>  	struct eg_surface surf;
>  	unsigned pitch, slice, mslice;
> -	unsigned long offset;
> +	u64 offset;
>  	int r;
>  
>  	mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1;
> @@ -435,14 +435,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
>  		return r;
>  	}
>  
> -	offset = track->cb_color_bo_offset[id] << 8;
> +	offset = (u64)track->cb_color_bo_offset[id] << 8;
>  	if (offset & (surf.base_align - 1)) {
> -		dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n",
> +		dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n",
>  			 __func__, __LINE__, id, offset, surf.base_align);
>  		return -EINVAL;
>  	}
>  
> -	offset += surf.layer_size * mslice;
> +	offset += (u64)surf.layer_size * mslice;
>  	if (offset > radeon_bo_size(track->cb_color_bo[id])) {
>  		/* old ddx are broken they allocate bo with w*h*bpp but
>  		 * program slice with ALIGN(h, 8), catch this and patch
> @@ -450,14 +450,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
>  		 */
>  		if (!surf.mode) {
>  			uint32_t *ib = p->ib.ptr;
> -			unsigned long tmp, nby, bsize, size, min = 0;
> +			u64 tmp, nby, bsize, size, min = 0;
>  
>  			/* find the height the ddx wants */
>  			if (surf.nby > 8) {
>  				min = surf.nby - 8;
>  			}
>  			bsize = radeon_bo_size(track->cb_color_bo[id]);
> -			tmp = track->cb_color_bo_offset[id] << 8;
> +			tmp = (u64)track->cb_color_bo_offset[id] << 8;
>  			for (nby = surf.nby; nby > min; nby--) {
>  				size = nby * surf.nbx * surf.bpe * surf.nsamples;
>  				if ((tmp + size * mslice) <= bsize) {
> @@ -469,7 +469,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
>  				slice = ((nby * surf.nbx) / 64) - 1;
>  				if (!evergreen_surface_check(p, &surf, "cb")) {
>  					/* check if this one works */
> -					tmp += surf.layer_size * mslice;
> +					tmp += (u64)surf.layer_size * mslice;
>  					if (tmp <= bsize) {
>  						ib[track->cb_color_slice_idx[id]] = slice;
>  						goto old_ddx_ok;
> @@ -478,9 +478,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
>  			}
>  		}
>  		dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, "
> -			 "offset %d, max layer %d, bo size %ld, slice %d)\n",
> +			 "offset %llu, max layer %d, bo size %ld, slice %d)\n",
>  			 __func__, __LINE__, id, surf.layer_size,
> -			track->cb_color_bo_offset[id] << 8, mslice,
> +			(u64)track->cb_color_bo_offset[id] << 8, mslice,
>  			radeon_bo_size(track->cb_color_bo[id]), slice);
>  		dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n",
>  			 __func__, __LINE__, surf.nbx, surf.nby,
> @@ -564,7 +564,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
>  	struct evergreen_cs_track *track = p->track;
>  	struct eg_surface surf;
>  	unsigned pitch, slice, mslice;
> -	unsigned long offset;
> +	u64 offset;
>  	int r;
>  
>  	mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
> @@ -610,18 +610,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
>  		return r;
>  	}
>  
> -	offset = track->db_s_read_offset << 8;
> +	offset = (u64)track->db_s_read_offset << 8;
>  	if (offset & (surf.base_align - 1)) {
> -		dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
> +		dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
>  			 __func__, __LINE__, offset, surf.base_align);
>  		return -EINVAL;
>  	}
> -	offset += surf.layer_size * mslice;
> +	offset += (u64)surf.layer_size * mslice;
>  	if (offset > radeon_bo_size(track->db_s_read_bo)) {
>  		dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, "
> -			 "offset %ld, max layer %d, bo size %ld)\n",
> +			 "offset %llu, max layer %d, bo size %ld)\n",
>  			 __func__, __LINE__, surf.layer_size,
> -			(unsigned long)track->db_s_read_offset << 8, mslice,
> +			(u64)track->db_s_read_offset << 8, mslice,
>  			radeon_bo_size(track->db_s_read_bo));
>  		dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n",
>  			 __func__, __LINE__, track->db_depth_size,
> @@ -629,18 +629,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
>  		return -EINVAL;
>  	}
>  
> -	offset = track->db_s_write_offset << 8;
> +	offset = (u64)track->db_s_write_offset << 8;
>  	if (offset & (surf.base_align - 1)) {
> -		dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
> +		dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
>  			 __func__, __LINE__, offset, surf.base_align);
>  		return -EINVAL;
>  	}
> -	offset += surf.layer_size * mslice;
> +	offset += (u64)surf.layer_size * mslice;
>  	if (offset > radeon_bo_size(track->db_s_write_bo)) {
>  		dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, "
> -			 "offset %ld, max layer %d, bo size %ld)\n",
> +			 "offset %llu, max layer %d, bo size %ld)\n",
>  			 __func__, __LINE__, surf.layer_size,
> -			(unsigned long)track->db_s_write_offset << 8, mslice,
> +			(u64)track->db_s_write_offset << 8, mslice,
>  			radeon_bo_size(track->db_s_write_bo));
>  		return -EINVAL;
>  	}
> @@ -661,7 +661,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
>  	struct evergreen_cs_track *track = p->track;
>  	struct eg_surface surf;
>  	unsigned pitch, slice, mslice;
> -	unsigned long offset;
> +	u64 offset;
>  	int r;
>  
>  	mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
> @@ -708,34 +708,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
>  		return r;
>  	}
>  
> -	offset = track->db_z_read_offset << 8;
> +	offset = (u64)track->db_z_read_offset << 8;
>  	if (offset & (surf.base_align - 1)) {
> -		dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
> +		dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
>  			 __func__, __LINE__, offset, surf.base_align);
>  		return -EINVAL;
>  	}
> -	offset += surf.layer_size * mslice;
> +	offset += (u64)surf.layer_size * mslice;
>  	if (offset > radeon_bo_size(track->db_z_read_bo)) {
>  		dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, "
> -			 "offset %ld, max layer %d, bo size %ld)\n",
> +			 "offset %llu, max layer %d, bo size %ld)\n",
>  			 __func__, __LINE__, surf.layer_size,
> -			(unsigned long)track->db_z_read_offset << 8, mslice,
> +			(u64)track->db_z_read_offset << 8, mslice,
>  			radeon_bo_size(track->db_z_read_bo));
>  		return -EINVAL;
>  	}
>  
> -	offset = track->db_z_write_offset << 8;
> +	offset = (u64)track->db_z_write_offset << 8;
>  	if (offset & (surf.base_align - 1)) {
> -		dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
> +		dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
>  			 __func__, __LINE__, offset, surf.base_align);
>  		return -EINVAL;
>  	}
> -	offset += surf.layer_size * mslice;
> +	offset += (u64)surf.layer_size * mslice;
>  	if (offset > radeon_bo_size(track->db_z_write_bo)) {
>  		dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, "
> -			 "offset %ld, max layer %d, bo size %ld)\n",
> +			 "offset %llu, max layer %d, bo size %ld)\n",
>  			 __func__, __LINE__, surf.layer_size,
> -			(unsigned long)track->db_z_write_offset << 8, mslice,
> +			(u64)track->db_z_write_offset << 8, mslice,
>  			radeon_bo_size(track->db_z_write_bo));
>  		return -EINVAL;
>  	}

Gentle ping...

Regards,
Nikita

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ