Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3331133imu; Fri, 18 Jan 2019 08:34:58 -0800 (PST) X-Google-Smtp-Source: ALg8bN7N+e6qvaERhBoQ6/sYNsdXxsid9aWloVyAxpwIsF50suTpygXa2suoLuUAIb2s3EdQECFd X-Received: by 2002:a17:902:4025:: with SMTP id b34mr19994070pld.181.1547829298160; Fri, 18 Jan 2019 08:34:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547829298; cv=none; d=google.com; s=arc-20160816; b=aQ2VYaSAMVOOwiSNIrEXCl98mhfgZb83Y7te3jeyQALSoEYJq2fQF+wRxFPNXSZZBy U06rNWVjOyDweCZsg+IGw2yRzNYaZlUL0tXyAiiS8QNjwwfE8LA2jqDyuWXKl1UDN74L 723n4mZ+t7wDbbh6g4oSBkhO5IyeE6SCrIEf/Nt+yCYJL1+BmnWElPftupjICrwo3476 tgJsD4mFmosDLeq4D5yM+kcbrKh27iU3qHmTFM9dCNY84J8BVOYTxTQNiDoUl7SxSUHT h4Wk6JbKY+jyiztyurA1yUJJR9hjWjuBwJoWJC/Mvu+BFhGwKippUFZt3ScLWbannApS E+zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:to:from:date; bh=XbVqGZpk8S+O1qQbMJR91reZTS/RK8xVKw6Zy5mbKD8=; b=0UlMlwGfR+gHW1YNS9K/nGQq5pUFjiLV5rc8asiUK1o3StMHlKmA0vl5XsPrrfCw54 mFzfrokAwFtXw1Lx3ns18ypSAADwNL6KmG4LdVk7vWLIfDMmpwC3W9kCgE4yKxD5KJ5+ 6uPimb4EU/2cB6joKzQd15957pquS/IhgIxngOnr5rCvYVynwvWGdt4RB3qs33hBY1BO 8/21sBLZhTV5ovMywQiK0S0gjZumjcoXZoCfMB2dKbbxgc+NJDzLhCf4NGsk5jCn+Pg1 lEErO9F7xdkp0XDsth+aZX16G1yivois+dU70S+o+T99SvKGn2LCJmdlzHFYhgoL9HhR nb5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e22si4909240pge.479.2019.01.18.08.34.40; Fri, 18 Jan 2019 08:34:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728881AbfARQcm (ORCPT + 99 others); Fri, 18 Jan 2019 11:32:42 -0500 Received: from mga06.intel.com ([134.134.136.31]:3667 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728742AbfARQci (ORCPT ); Fri, 18 Jan 2019 11:32:38 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2019 08:32:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,491,1539673200"; d="scan'208";a="127118149" Received: from stinkbox.fi.intel.com (HELO stinkbox) ([10.237.72.174]) by orsmga002.jf.intel.com with SMTP; 18 Jan 2019 08:32:34 -0800 Received: by stinkbox (sSMTP sendmail emulation); Fri, 18 Jan 2019 18:32:33 +0200 Date: Fri, 18 Jan 2019 18:32:33 +0200 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= To: Gerd Hoffmann , dri-devel@lists.freedesktop.org, Dave Airlie , David Airlie , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , open list Subject: Re: [PATCH v3 23/23] drm/qxl: add overflow checks to qxl_mode_dumb_create() Message-ID: <20190118163233.GM20097@intel.com> References: <20190118122020.27596-1-kraxel@redhat.com> <20190118122020.27596-24-kraxel@redhat.com> <20190118154944.GH3271@phenom.ffwll.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190118154944.GH3271@phenom.ffwll.local> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 18, 2019 at 04:49:44PM +0100, Daniel Vetter wrote: > On Fri, Jan 18, 2019 at 01:20:20PM +0100, Gerd Hoffmann wrote: > > Signed-off-by: Gerd Hoffmann > > We already do all reasonable overflow checks in drm_mode_create_dumb(). If > you don't trust them I think would be better time spent typing an igt to > test this than adding redundant check in all drivers. > > You're also missing one check for bpp underflows :-) BTW I just noticed that we don't seem to validating create_dumb->flags at all. Someone should probably add some checks for that, or mark it as deprecated in case we already lost the battle with userspace stack garbage. > -Daniel > > > --- > > drivers/gpu/drm/qxl/qxl_dumb.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c > > index 272d19b677..bed6d06ee4 100644 > > --- a/drivers/gpu/drm/qxl/qxl_dumb.c > > +++ b/drivers/gpu/drm/qxl/qxl_dumb.c > > @@ -37,11 +37,13 @@ int qxl_mode_dumb_create(struct drm_file *file_priv, > > uint32_t handle; > > int r; > > struct qxl_surface surf; > > - uint32_t pitch, format; > > + uint32_t pitch, size, format; > > > > - pitch = args->width * ((args->bpp + 1) / 8); > > - args->size = pitch * args->height; > > - args->size = ALIGN(args->size, PAGE_SIZE); > > + if (check_mul_overflow(args->width, ((args->bpp + 1) / 8), &pitch)) > > + return -EINVAL; > > + if (check_mul_overflow(pitch, args->height, &size)) > > + return -EINVAL; > > + args->size = ALIGN(size, PAGE_SIZE); > > > > switch (args->bpp) { > > case 16: > > -- > > 2.9.3 > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Ville Syrj?l? Intel