lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250325084645.37258-1-a.vatoropin@crpt.ru>
Date: Tue, 25 Mar 2025 08:46:51 +0000
From: Ваторопин Андрей <a.vatoropin@...t.ru>
To: Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>
CC: Ваторопин Андрей <a.vatoropin@...t.ru>, Maxime Ripard
	<mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>, David Airlie
	<airlied@...il.com>, Simona Vetter <simona@...ll.ch>, Thierry Reding
	<treding@...dia.com>, "dri-devel@...ts.freedesktop.org"
	<dri-devel@...ts.freedesktop.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "lvc-project@...uxtesting.org"
	<lvc-project@...uxtesting.org>
Subject: [PATCH] drm/gem: fix overflow in calculating DMA GEM size

From: Andrey Vatoropin <a.vatoropin@...t.ru>

The IOCTL handler drm_gem_dma_dumb_create() calculates "size" by
multiplying "pitch" and "height." This expression is currently being 
evaluated using 32-bit arithmetic, which can lead to an overflow during 
multiplication.

Since a value of type 'u64' is used to store the eventual size, it is 
necessary to perform 64-bit arithmetic to avoid overflow during the
multiplication.

The same thing was done in commit 0f8f8a643000 
("drm/i915/gem: Detect overflow in calculating dumb buffer size")

Found by Linux Verification Center (linuxtesting.org) with SVACE.
       
Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()")
Signed-off-by: Andrey Vatoropin <a.vatoropin@...t.ru> 
---
 drivers/gpu/drm/drm_gem_dma_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c
index 16988d316a6d..ac300777c79e 100644
--- a/drivers/gpu/drm/drm_gem_dma_helper.c
+++ b/drivers/gpu/drm/drm_gem_dma_helper.c
@@ -306,7 +306,7 @@ int drm_gem_dma_dumb_create(struct drm_file *file_priv,
 	struct drm_gem_dma_object *dma_obj;
 
 	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
-	args->size = args->pitch * args->height;
+	args->size = mul_u32_u32(args->pitch, args->height);
 
 	dma_obj = drm_gem_dma_create_with_handle(file_priv, drm, args->size,
 						 &args->handle);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ