lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPj87rNG8gT-Wk+rQnFMsbCBqX6pL=qZY--_5=Z4XchLNsM5Ng@mail.gmail.com>
Date: Tue, 12 Aug 2025 13:53:56 +0100
From: Daniel Stone <daniel@...ishbar.org>
To: "Rob Herring (Arm)" <robh@...nel.org>
Cc: Tomeu Vizoso <tomeu@...euvizoso.net>, Krzysztof Kozlowski <krzk+dt@...nel.org>, 
	Conor Dooley <conor+dt@...nel.org>, Oded Gabbay <ogabbay@...nel.org>, 
	Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>, 
	Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>, 
	Sumit Semwal <sumit.semwal@...aro.org>, Christian König <christian.koenig@....com>, 
	Robin Murphy <robin.murphy@....com>, Steven Price <steven.price@....com>, devicetree@...r.kernel.org, 
	linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org, 
	linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org
Subject: Re: [PATCH v2 2/2] accel: Add Arm Ethos-U NPU driver

Hi Rob,

On Mon, 11 Aug 2025 at 22:05, Rob Herring (Arm) <robh@...nel.org> wrote:
> +static int ethos_ioctl_submit_job(struct drm_device *dev, struct drm_file *file,
> +                                  struct drm_ethos_job *job)
> +{
> +       [...]
> +       ejob->cmd_bo = drm_gem_object_lookup(file, job->cmd_bo);
> +       cmd_info = to_ethos_bo(ejob->cmd_bo)->info;
> +       if (!ejob->cmd_bo)
> +               goto out_cleanup_job;

NULL deref here if this points to a non-command BO. Which is better
than wild DMA, but hey.

> +       for (int i = 0; i < NPU_BASEP_REGION_MAX; i++) {
> +               struct drm_gem_object *gem;
> +
> +               if (job->region_bo_handles[i] == 0)
> +                       continue;
> +
> +               /* Don't allow a region to point to the cmd BO */
> +               if (job->region_bo_handles[i] == job->cmd_bo) {
> +                       ret = -EINVAL;
> +                       goto out_cleanup_job;
> +               }

And here I suppose you want to check if the BO's info pointer is
non-NULL, i.e. disallow use of _any_ command BO instead of only
disallowing this job's own command BO.

(There's also a NULL deref if an invalid GEM handle is specified.)

Cheers,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ