Commit 7f38e1e1 authored by Paulo Zanoni's avatar Paulo Zanoni Committed by Rodrigo Vivi

drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl

There's this shared machine running xe.ko and I often log in to see my
tmux corrupted by messages such as:

    usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446660151965198754)!

I also sometimes see:

    kernel BUG at mm/usercopy.c:102!

Someone is running a program that's definitely submitting random
numbers to this ioctl. If you pass width=65535 and
num_placements=32769 then you get a negative 'len', which avoids the
EINVAL check, leading to the bug.

Switch 'len' to u32. It is the result of the multiplication of two u16
numbers, so it won't be able to overflow back into smaller numbers as
an u32.

v2: Make len u32 instead of checking for <=0 (José).
Signed-off-by: default avatarPaulo Zanoni <paulo.r.zanoni@intel.com>
Reviewed-by: default avatarJosé Roberto de Souza <jose.souza@intel.com>
Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
Reviewed-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
Link: https://lore.kernel.org/r/20230626212221.136640-1-paulo.r.zanoni@intel.comSigned-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
parent f07d9a61
...@@ -522,7 +522,7 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data, ...@@ -522,7 +522,7 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data,
struct xe_engine *e = NULL; struct xe_engine *e = NULL;
u32 logical_mask; u32 logical_mask;
u32 id; u32 id;
int len; u32 len;
int err; int err;
if (XE_IOCTL_ERR(xe, args->flags) || if (XE_IOCTL_ERR(xe, args->flags) ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment