Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933240AbdCaPH2 (ORCPT ); Fri, 31 Mar 2017 11:07:28 -0400 Received: from mail-cys01nam02on0089.outbound.protection.outlook.com ([104.47.37.89]:4975 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932934AbdCaPH0 (ORCPT ); Fri, 31 Mar 2017 11:07:26 -0400 Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=vmware.com; Date: Fri, 31 Mar 2017 08:07:12 -0700 From: Sinclair Yeh To: Vladis Dronov CC: VMware Graphics , Thomas Hellstrom , David Airlie , , Subject: Re: [PATCH] kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Message-ID: <20170331150712.GB33594@syeh-m02> References: <20170330102712.3123-1-vdronov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20170330102712.3123-1-vdronov@redhat.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Originating-IP: [208.91.1.34] X-ClientProxiedBy: CY4PR1001CA0020.namprd10.prod.outlook.com (10.171.218.161) To BN6PR05MB3281.namprd05.prod.outlook.com (10.174.95.28) X-MS-Office365-Filtering-Correlation-Id: 46e2820a-401b-479e-8a8e-08d47847a1c8 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131423075)(201703031133081);SRVR:BN6PR05MB3281; X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3281;3:uuu6RHMqfcHT1U2U2yTv/hGydEWNuMPsN+dh9OsSZmTNe/7MnPKpq8KLDBqkselV84wkasRxw1nnvWHa6QSp52h0Hbxu9oSHeUq/CS6pzpjOa1WA+Uau5O500nxQOszXXJjwPtfLRgIPZzoTJMliYG3iHX4xSxaM3q81T2Z5Rd5tQ2PTG/b1C5EB5O79X7vboNJlgJVqTHs07DwcAXt72LS0H57xaJdZjv66tGQ1iU6c+BlUjzoRbSw/zhIpdF+yr6brAivIs8MlQKnPBt7/bMA567CvliMtLbRdMrMXkKO915AzYhy4r6MqnxHD7btqkpQcx+o7hpwl94Y1Z00PGw==;25:UGK2CEzWC6fXF8duMJ+qfZzOssL/qfB5ZrZGCKMovdBjjZ1AupoOfV865FjOTTj0Mmr+XfWIBSBeIiFAqAJ4CMUDhfqv752tVVZBzTVFgbLtUG1IWk9dP5YrMD7wgjaBUD4dbnY/RFD0N9ZzDqIg2Ds3fvhBkefUsaH95Ez6YUS30RuwmI0aq9kPpmgN1aHLFTbEbADrv+lDyr/GnyHHOWmEX8f8/GtMXbHPUWe0025pemD6d1jw5CmU7kV2l7kFj+L6f+3OWMnI3aTGJR/2uw51N/96QgnBjsaGM+8+VPPLR76c0HrWtZBtsi3uHm6kh1ve7qnIAOoOMVEQ4QZQYDYCw/pyB1ejXBlSVCLK4gCb2u7kQRLyfv2XUDFXAQd/JnkMAJLN+4Ysnm5DZ+sLIYBi49rl2BlnRAFM8Lw585PKdHZ12Q1nB3Ey1kOy+U7qJM1hO6o5GaXQlq8JU+FKqw== X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3281;31:GY1/nTbmcu6K5CvdRSz3NhHynINKkm4UOVSmkkTczeztYZsi5HEQNNKMp1VwQAvRxuTSImYRosXZHe9bM2CYaqks3NBeFurGX98wD9rS/tQarcomNse7Gyt6Kqidl+KeCtgvoz1sb/j6yAJ1U2hZW5/GMuQdmRjFRwOZ8fDpFtiAwtO26MIcy3wj6Yrnp3hpOss6FnISkpuWT/Sy2mjf60ZQOywM3/qxObbGHZLE20BBqNIjojlcbA47UiWeEfah;20:frAku+FZEbQ2llophsyTrE47DvoQnYQIwGNWSpA6g2HWUVzFPU8uRevqMJXhs9m9/rTnbUolf9XJmVnwNPkdIC0L6x+zIfrQalxOEvjTKIFUhXqMduqTFO9ErPwiXvL3FyIxU+PIkV1SaxxUm5zopQJySaz6DcF+ztIix68/bDJEwtzlYjFG7Gw3IC0cB/LVp36mjjQzBAYLSTgaJak5+vSgpTSBqIIRG2o5VYnDznozLvYgzy3kcv/ObmrAujf7ef/MlTXL7xcJXoamELkCu/hIUVQMUkcs7xM+c53wUpPy5gT0/cMzPOu2D3RbmdBpit+Bp61r25qj8AMPsfBAIpYmkN2Vc3F8rrm6a8UVmmY/e3yt9D21s7tDY3Zgi9M8EYLHA/85xggS5as0ZEFVN7KC700lIbgCpKYvgpzLpWBgv7C5zNq7FBa4eUSC+Uk1swjB9mTMqYmwF9HPbzvlxX2gR6MaZkjALCF1F7j3HyM/xZ5MwBwkE4o/t3p88jAi X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(10436049006162); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(20161123555025)(20161123560025)(20161123564025)(6072148);SRVR:BN6PR05MB3281;BCL:0;PCL:0;RULEID:;SRVR:BN6PR05MB3281; X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3281;4:OKQ60B3WVmxgfjp7XPP12L6f3S5QBZB20h4GHe7knfxaD6bg/OPZSFQQcfrUmiyRyvWIRQdm+QPXdLKQdxnJIO+7LvGLWoWhRXu1jS+A+50cjDNo/K/NCYgYAhRloWmOCgF1GfxHQagzyDYsxFY9zHJgaCtKs76SqGrsqQVqkVE8TzUu05NZDDbzMA9fPg7D90mIaxqclmV1Iyso5lKKHsimiXmg12vAnO52q+WEJK1N2ICZ+ABDzlAx2qPUykOwmSQ2gd4U6elr7omCfJ39qi4dSRJ6c7rmwK/EkCpqvXYeACvxoO64Oc+HK5RJRV6HIt7X1UxrHqpzIHAsarIUEXPUgkh+ExT6qAOYdZdSE9Jx9xuGbjG3QHtxypWlRfLtbZO9gFUOjkkJSnYLZO9VZ8a2dup9hxWiOhAbvI7SwHP3g8Pk0Lp4c6j2c0N4fDl3f5mV6qJ3wJKQJ8HdY9vfjA0VSBE/7N+KzyH4yJRUVQiAm0Tgfzxw2FEqr6j2Z+Hbk+prOlmu9quxw3bcO8YQJR9tiZolXTAxHAEF5hdEWDgi7s/igRWVsjmbRcqn7G7JxkBB/sxQojaO4kvZ/KLeJXnxfEUJHJoKbm6fthU9fl5GsLUbqMm+MBTm0dsWjHK+hfb5thd8+a0lpwoebxQUGMAThJJ+OPwfnuSy//O2/V4P00RSZZ1p7Suqv5G8lqlkIEWC7j9s9cA+L2ZQwIIe4BHiCOQobQx1zQSWS+4Wn6/z8wDl3usMrBpbNkHmVTMe X-Forefront-PRVS: 02638D901B X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(39410400002)(39840400002)(39450400003)(39850400002)(39400400002)(24454002)(189998001)(97756001)(4001350100001)(47776003)(46406003)(229853002)(305945005)(33716001)(81166006)(5660300001)(6496005)(53936002)(86362001)(575784001)(1076002)(8676002)(2906002)(6116002)(23726003)(3846002)(83506001)(50466002)(42186005)(54906002)(6666003)(9686003)(76176999)(50986999)(54356999)(33656002)(6246003)(110136004)(38730400002)(4326008)(25786009)(66066001)(6916009)(55016002)(6306002)(2950100002)(18370500001)(107986001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR05MB3281;H:syeh-m02;FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BN6PR05MB3281;23:ZqF2wqOn4yxxgID26PyRLNHh5SV/W2Oiwl+jx6rfp?= =?us-ascii?Q?ruiMIIUNZb9eZsGi97bSOQCylytiWOOq9yBvMnKHVrzbH9st29h9ie4eAwbr?= =?us-ascii?Q?V3VBRC9z4/36zpnTfzxeDS9TdpRBwI0aIx3kvCaWK5O34CclnqBUfiEfOKeO?= =?us-ascii?Q?P5/Vr+dJjTkrSk/cJSA2nXC21oc12I12kLrDXMG9FRYJ8TSJzvBIGKH57Hjc?= =?us-ascii?Q?m62NwkVIcsLbSNytAP2/jSXw+P+cpuHtzA2Btqp+uceIMRkAdpPDrtzrsSAW?= =?us-ascii?Q?vKW5nH0vfl0Na0js+oK+3knFz4BM9kQ29v5W1hGF9r6zQjOoS9Es336Juira?= =?us-ascii?Q?YiH6ZgBfXsn72Jybqcp/WlZsVe0vpN3neOqXeshYmbKpxYgzHuy6K8qI0YZ8?= =?us-ascii?Q?b1jOkq1T65qSWXuRZjUQ3jBmTTJc7tTA5H5XN65a3UwO+noxpRLPuJkFtIPf?= =?us-ascii?Q?bwlu63ZZIYq/SM9S9WyQ0yMioC/7JuF4+fWZXvA5tcILuBCVxDgwNIA1JEkD?= =?us-ascii?Q?OYSyfMsUZauwRsinBd2GaIEqoT7aSOl9ku0t440vRp4LscO55snqkUfQr7hg?= =?us-ascii?Q?9AkppOuJbR/JY1wHfYnGqKHs8M/fai6XzQ0UsZ5lAQyQaYLqOagshPvN6En2?= =?us-ascii?Q?KNFpBHpKd6yoJOL0oaQpM2K7Fg4QiMRXznL613NR5IixAN3qOYlMqx0NnACz?= =?us-ascii?Q?crzkhly2tLi2pZoNFw0vzVRoxCUiyyglYRjyiXw1xaEaQ/X3oxEpvCAn1+xG?= =?us-ascii?Q?h3oW4svJujt7ZnMw2UwXMt/jsXNRWfKlBrLzKJ4SQxd5UYbb3E8dudWgJpFy?= =?us-ascii?Q?Oc0LfFqlG6bnYR7X19ja+Dgvf/v1oc1IcLxHNJ1tXa/JJunmh78KriuGSQ+e?= =?us-ascii?Q?G2JRZiBagg60hyQXzSMkrBwTNk+FQ/otnW/k4sRfbyabUIJ46ZQuxThMZ2KC?= =?us-ascii?Q?JcIEKjSP+U7MXpGR8tcly7eYaarddp8llMqyEQKuLGeVGkAmJuXjxFRJdskB?= =?us-ascii?Q?htuBBa2TZ2tdA3SJkyJT/4XU7yBH1Iqv9KnLN3jAWdonklWeHSvRWstvMdTF?= =?us-ascii?Q?U6YBuKfGVpi3ECxcdTcqEFo1C88ctwKvSFHcuqKfHQxNYnbe4Jauhuf9JlUX?= =?us-ascii?Q?ipb85EXZJvc0Ay4sFRmM0G/b2uepY4LwyLrYJawV6StqePtCdZqOyWR4FQG5?= =?us-ascii?Q?wZMrmAlHPYr22avY4uIsB/ZcLnwbf8RfW96aW92XazhMcs6n3IlJT8pNjWLx?= =?us-ascii?Q?r65dotj1spxM2/JCPU=3D?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3281;6:YPHKaK4LPB6N6uynWYJ/iO56jWNJNBNlDggTDSJLZrj0Corb8YR0w+L4Q1qn8AwUmzL6EyetkSHLKX9VG0G3ShKPKNuCb+dfJ89xpAbtgmZOL+ZMS6EjV0zCZx6IhKZOlVzo2DcUZ5oJrIHVn5ske243wgsnSB7GUqwa/A12LZe57buX4/ItwW7Z+1X/suIMmV7+7VCMz/joOdwzh+S3iZ3/id7pPsBkXSidXLLuhtOfoQaDvpyH0YIj0qE+fV+FaMJ0Mn0waFxbxsvYVqnzmh6mJ4PI6dAAcN/Yo4+gTUovZ3N50vSRqArnm5wEDluEhrR77n0d0nCWi9BEadFoQU1aQbcoYjQ6VL9bTp51wt8NzS3iN9D6ZfXQTxekeKwP4/mO/8mWDNvAFh7nD1BGMg==;5:bOxN8AWJ0mXaXzidRiTfiDZXqURokjg+6GxOfxrZ3dIjKNI514hAt4NIvJADHtmafH+UqZDB2AH+K6Ay+/beRNQ4UAhNsf8b3VKxwF6qnLlAh6pTph812jjM9mYN+T3iI7Yscf7HoUpZRR1ozbZ6cQ==;24:sjfqsQVmJ0hTu6F9td7InLNAbpEy4j5gkjmqJ08kZoSx82zRjt9TZMfS9eTI7q0bF43HMVeCryu8qqEU+hOcglirbEXx3QbFPmwcXtZ48bk= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB3281;7:c82DAI8UunE+f+JJAyxNWxrwgBuEKoVXWo23JPCqx5ZJFFQjoapR0MMx/3hoyeenq4S4PPKuMaYtKzBsKOw/J6oZeO+F7fYFbSLLZE/HbxP66ZghIwVzX2121VCNCyoMzJF3TNnvcOQDYdbfxNGOE8muPp3ojpZbCw+xQ9JYWtTV4zV7zxKJYpy92UdlLYXoBMhjHn+RuUb9NEsQ8AmQvm1CEHhDG8RhRNcF/cqu8//VIDJygZPxcOQG3iymWBx3lpUe1ths7HTcEbQUFYsSGgS6FKfQUpDBRVCId6hLoWP9gwVygNadafqwStLyeqIie1GEq85DmOOYK1h+KA2mFQ==;20:dsoszWdp+OOTwu+dHkfJ7bgnRWpZMzfJvT5EM2vVT31pfNEr5GXpbFAk4jh+obd0fh8hY6USAv3xvdinTGgIIl0ceU7i/GLHQU9+gcwes5qTwFrRuIT86jA3bK1aWGD17900IkOwoAjMRCujWYAGm4Fo8aAbu8M/13vLvjW1G/w= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 15:07:21.0555 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3281 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1404 Lines: 35 Hi Vladis, On Thu, Mar 30, 2017 at 12:27:12PM +0200, Vladis Dronov wrote: > The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is > a user-controlled 'uint32_t' value which is used as a loop count limit. > This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. > > References: > https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1437431&d=DwIBAg&c=uilaK90D4TOVoH58JNXRgQ&r=HaJ2a6NYExoV0cntAYcoqA&m=5yR87BuuU86aoAjCveInxh6jvgOyumqIHQhTs0xLo38&s=tWQs7vwNLgD_b2RWMddVtusEKh9FQTIF5rKFOWudslE&e= > Signed-off-by: Vladis Dronov > --- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > index b445ce9..b30824b 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c > @@ -1281,6 +1281,10 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, > if (req->multisample_count != 0) > return -EINVAL; > > + if (req->mip_levels > DRM_VMW_MAX_SURFACE_FACES * > + DRM_VMW_MAX_MIP_LEVELS) > + return -EINVAL; > + Here, the check should be "> DRM_VMW_MAX_MIP_LEVELS" because req->mip_levels is only for one layer. Also, as long as we can doing a check, I would suggest we check for 0 as well. Sinclair