| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251129141438.8789-1-bigalex934@gmail.com>
Date: Sat, 29 Nov 2025 17:14:40 +0300
From: Alexey Simakov <bigalex934@...il.com>
To: bskeggs@...hat.com
Cc: Alexey Simakov <bigalex934@...il.com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
Francisco Jerez <currojerez@...eup.net>,
dri-devel@...ts.freedesktop.org,
nouveau@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org,
Alexandr Sapozhnikov <alsp705@...il.com>
Subject:
Date: Sat, 29 Nov 2025 17:06:57 +0300
Subject: [PATCH v2] drm/nouveau: fix div-by-zero in nouveau_bo_fixup_align
The expression 64 * nvbo->mode can be zero when nvbo->mode equals
U32_MAX / 64, causing a division by zero in do_div(). Values greater
than U32_MAX / 64 cause a u32 overflow, leading to incorrect results.
Since nvbo->mode comes from userspace via ioctl, it must be validated
to prevent crashes or undefined behavior.
Add a check to ensure nvbo->mode is less than U32_MAX / 64
before use in multiplication.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: a0af9add499c ("drm/nouveau: Make the MM aware of pre-G80 tiling.")
Co-developed-by: Alexandr Sapozhnikov <alsp705@...il.com>
Signed-off-by: Alexandr Sapozhnikov <alsp705@...il.com>
Signed-off-by: Alexey Simakov <bigalex934@...il.com>
---
v2 - move value check at the begining of nouveau_bo_alloc for
preventing execution of function for case, when tile_mode is too large
link to v1: https://lore.kernel.org/dri-devel/20251022041302.13-1-alsp705@gmail.com/
drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
index 96a8b7b1215e..774888ffa4a8 100644
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -207,6 +207,9 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, int *align, u32 domain,
struct nvif_vmm *vmm = cli->svm.cli ? &cli->svm.vmm : &cli->vmm.vmm;
int i, pi = -1;
+ if (tile_mode > U32_MAX / 64)
+ return ERR_PTR(-EINVAL);
+
if (!*size) {
NV_WARN(drm, "skipped size %016llx\n", *size);
return ERR_PTR(-EINVAL);
--
2.34.1
Powered by blists - more mailing lists