Date: Fri, 31 Mar 2017 08:07:12 -0700
From: Sinclair Yeh <syeh@vmware.com>
To: Vladis Dronov <vdronov@redhat.com>
CC: VMware Graphics <linux-graphics-maintainer@vmware.com>,
        Thomas Hellstrom <thellstrom@vmware.com>,
        David Airlie <airlied@linux.ie>, <dri-devel@lists.freedesktop.org>,
        <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] kernel: drm/vmwgfx: limit the number of mip levels in
 vmw_gb_surface_define_ioctl()
Message-ID: <20170331150712.GB33594@syeh-m02>
References: <20170330102712.3123-1-vdronov@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170330102712.3123-1-vdronov@redhat.com>
User-Agent: Mutt/1.8.0 (2017-02-23)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 15:07:21.0555 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3281
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1404
Lines: 35

Hi Vladis,


On Thu, Mar 30, 2017 at 12:27:12PM +0200, Vladis Dronov wrote:
> The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
> a user-controlled 'uint32_t' value which is used as a loop count limit.
> This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
> 
> References:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1437431&d=DwIBAg&c=uilaK90D4TOVoH58JNXRgQ&r=HaJ2a6NYExoV0cntAYcoqA&m=5yR87BuuU86aoAjCveInxh6jvgOyumqIHQhTs0xLo38&s=tWQs7vwNLgD_b2RWMddVtusEKh9FQTIF5rKFOWudslE&e= 
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index b445ce9..b30824b 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -1281,6 +1281,10 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
>  	if (req->multisample_count != 0)
>  		return -EINVAL;
>  
> +	if (req->mip_levels > DRM_VMW_MAX_SURFACE_FACES *
> +	    DRM_VMW_MAX_MIP_LEVELS)
> +		return -EINVAL;
> +

Here, the check should be "> DRM_VMW_MAX_MIP_LEVELS" because req->mip_levels
is only for one layer.

Also, as long as we can doing a check, I would suggest we check for 0 as
well.

Sinclair