| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADnq5_PGo3=S4A9Vy-8Sonx+NEYp47_OD9NK_LFO9q+Dbtwo0Q@mail.gmail.com>
Date: Fri, 30 May 2025 17:07:00 -0400
From: Alex Deucher <alexdeucher@...il.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@....com>,
Alex Deucher <alexander.deucher@....com>, Christian König <christian.koenig@....com>,
David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>, Arvind Yadav <Arvind.Yadav@....com>,
Shashank Sharma <shashank.sharma@....com>, amd-gfx@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] drm/amdgpu: Fix integer overflow issues in amdgpu_userq_fence.c
Applied. Thanks!
On Fri, May 23, 2025 at 12:25 PM Dan Carpenter <dan.carpenter@...aro.org> wrote:
>
> This patch only affects 32bit systems. There are several integer
> overflows bugs here but only the "sizeof(u32) * num_syncobj"
> multiplication is a problem at runtime. (The last lines of this patch).
>
> These variables are u32 variables that come from the user. The issue
> is the multiplications can overflow leading to us allocating a smaller
> buffer than intended. For the first couple integer overflows, the
> syncobj_handles = memdup_user() allocation is immediately followed by
> a kmalloc_array():
>
> syncobj = kmalloc_array(num_syncobj_handles, sizeof(*syncobj), GFP_KERNEL);
>
> In that situation the kmalloc_array() works as a bounds check and we
> haven't accessed the syncobj_handlesp[] array yet so the integer overflow
> is harmless.
>
> But the "num_syncobj" multiplication doesn't have that and the integer
> overflow could lead to an out of bounds access.
>
> Fixes: a292fdecd728 ("drm/amdgpu: Implement userqueue signal/wait IOCTL")
> Cc: stable@...r.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> index 029cb24c28b3..bd79f105d77f 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> @@ -430,7 +430,7 @@ int amdgpu_userq_signal_ioctl(struct drm_device *dev, void *data,
>
> num_syncobj_handles = args->num_syncobj_handles;
> syncobj_handles = memdup_user(u64_to_user_ptr(args->syncobj_handles),
> - sizeof(u32) * num_syncobj_handles);
> + size_mul(sizeof(u32), num_syncobj_handles));
> if (IS_ERR(syncobj_handles))
> return PTR_ERR(syncobj_handles);
>
> @@ -612,13 +612,13 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data,
>
> num_read_bo_handles = wait_info->num_bo_read_handles;
> bo_handles_read = memdup_user(u64_to_user_ptr(wait_info->bo_read_handles),
> - sizeof(u32) * num_read_bo_handles);
> + size_mul(sizeof(u32), num_read_bo_handles));
> if (IS_ERR(bo_handles_read))
> return PTR_ERR(bo_handles_read);
>
> num_write_bo_handles = wait_info->num_bo_write_handles;
> bo_handles_write = memdup_user(u64_to_user_ptr(wait_info->bo_write_handles),
> - sizeof(u32) * num_write_bo_handles);
> + size_mul(sizeof(u32), num_write_bo_handles));
> if (IS_ERR(bo_handles_write)) {
> r = PTR_ERR(bo_handles_write);
> goto free_bo_handles_read;
> @@ -626,7 +626,7 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data,
>
> num_syncobj = wait_info->num_syncobj_handles;
> syncobj_handles = memdup_user(u64_to_user_ptr(wait_info->syncobj_handles),
> - sizeof(u32) * num_syncobj);
> + size_mul(sizeof(u32), num_syncobj));
> if (IS_ERR(syncobj_handles)) {
> r = PTR_ERR(syncobj_handles);
> goto free_bo_handles_write;
> --
> 2.47.2
>
Powered by blists - more mailing lists