Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3381066imu; Fri, 18 Jan 2019 09:23:59 -0800 (PST) X-Google-Smtp-Source: ALg8bN5F32Lma6FoS0JCRFnCSnP2n70Z56XGov/cG78oJht5XY0J1AYgXeQU8O91oKsQ88NfzYUJ X-Received: by 2002:a63:5455:: with SMTP id e21mr18698288pgm.316.1547832239046; Fri, 18 Jan 2019 09:23:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547832239; cv=none; d=google.com; s=arc-20160816; b=RNgFicWP1OoT80VAIoWmEYqiOG/BgjvPkyWE5OIEIyTP2t+OzR6Z3vxLi3v+VH8mwO /L4kCWDgUDJgWkwTDW7513d7s9En1CwiYSaSIH7yHL/m85t8LCo93mN1oQAYUbw4o6Xq lOPaXu/Sejei3kdnc7kxOFM+cl2gyjjalyB0FXR2kJabVQqYw6IUKe/4qz5kFcLYMA7Q b3fMJOg6V9SYdlBREosaLmYgilVe9rGdVL5ychRmuQciKbUmaXesGBpbcw9oqbB3b/DS BzezfEfU3NI5zvZCMg/YtWzIp6LC+d2JD0GtMR7GXqcyfs/PrS/CVdc72FgSsCVz7yFG 8J+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=nUCOgtt7/vbtqHr/0zJnpySnEDUiBMATX3kTSQXyjf4=; b=bJ76tmt2I7DvPRQQ5Jtlw5jJI0i/WEOhNmzdrc3VpKQijApNnqJeR7DVE6XoKCBVpR AHzPdL49dvL28ZshcMP8JWfI4uwpg13OBVI6dZCgMjJ5+Rx2BGquW+aa9mNeljjnZW10 PF5MhKAsB2i/C5RXReE10Npk5x1y0meSYxjNF499HmhL9+8180AEJakfIYG/3DfesNxL NqaNYbUKv07hYWHfO6xR68Bny2+OqMbEBru4Vw0KJOXLXDNNeOni+VX/HNGVgc8bhyDK cAPF++hiNr8WFiR15CHvyB2SnvqyJoHLBjDMu1LXuUp3k3xr2YG0lZ7zSDPDtB/Cublc 3A/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=UA9K1lqu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y1si5019291pgy.174.2019.01.18.09.23.42; Fri, 18 Jan 2019 09:23:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=UA9K1lqu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728576AbfARRQA (ORCPT + 99 others); Fri, 18 Jan 2019 12:16:00 -0500 Received: from mail-it1-f194.google.com ([209.85.166.194]:51258 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727986AbfARRP7 (ORCPT ); Fri, 18 Jan 2019 12:15:59 -0500 Received: by mail-it1-f194.google.com with SMTP id w18so7761045ite.1 for ; Fri, 18 Jan 2019 09:15:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=nUCOgtt7/vbtqHr/0zJnpySnEDUiBMATX3kTSQXyjf4=; b=UA9K1lquEZpgdzlBK3d0M/kozgnnR06AdhbASj7N7Sm6XiqVlNyCD6RqA+1LxExaR7 fy9YQ/C7b59nVUQKAxBFrlEwkE+4tZ63pEjxRFlcWAlqvyy8kndAptFfahM+EktMQgrn 34dfrvVLe+vJuDzN22B0HOWjX1iBX7h/hqT38= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=nUCOgtt7/vbtqHr/0zJnpySnEDUiBMATX3kTSQXyjf4=; b=nU91wHV9rybxmSwlEFRi/WXIbNKf3HNLs/2hG4T9VHOwJ5UoQ9hfKRE/d4IhS/kGyq JoGX5WTkqzPSXvXZWSgGvEFpot2XlO5cEzDiUIQTs5Xz9mMB9N8gMQ0bjpZCylYwLY7Q DkW4UpaHylhFb/KXCiWbm3LnScEYK70oICuSH30UVZ6WMzUi7LszOrg84wXNiWCGoMAY V0jsSB5A+gSglMInkLb3NfD7veOqqrASPUCL197wqN0iUnhIye0HrM3v3YN4A3v6NU+w t1N+HJgREiJqwf9aNfcq3ZZL+HPYNrppSgvfqx2rnDxah0TOilvdeX9lfxCOy+HfWh9u +1tA== X-Gm-Message-State: AJcUukcRn9hQPcO4/KN5EAbc9YSqEUkAid0rFYs1L16GPg5cliecgFKC Bz8v1Q66k0XoEgO0+zeGXm8rbA8tRwMrXV2dneZJjw== X-Received: by 2002:a24:94cb:: with SMTP id j194mr11418526ite.117.1547831755480; Fri, 18 Jan 2019 09:15:55 -0800 (PST) MIME-Version: 1.0 References: <20190118122020.27596-1-kraxel@redhat.com> <20190118122020.27596-24-kraxel@redhat.com> <20190118154944.GH3271@phenom.ffwll.local> <20190118163233.GM20097@intel.com> In-Reply-To: <20190118163233.GM20097@intel.com> From: Daniel Vetter Date: Fri, 18 Jan 2019 18:15:44 +0100 Message-ID: Subject: Re: [PATCH v3 23/23] drm/qxl: add overflow checks to qxl_mode_dumb_create() To: =?UTF-8?B?VmlsbGUgU3lyasOkbMOk?= Cc: Gerd Hoffmann , dri-devel , Dave Airlie , David Airlie , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" , open list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 18, 2019 at 5:32 PM Ville Syrj=C3=A4l=C3=A4 wrote: > > On Fri, Jan 18, 2019 at 04:49:44PM +0100, Daniel Vetter wrote: > > On Fri, Jan 18, 2019 at 01:20:20PM +0100, Gerd Hoffmann wrote: > > > Signed-off-by: Gerd Hoffmann > > > > We already do all reasonable overflow checks in drm_mode_create_dumb().= If > > you don't trust them I think would be better time spent typing an igt t= o > > test this than adding redundant check in all drivers. > > > > You're also missing one check for bpp underflows :-) > > BTW I just noticed that we don't seem to validating > create_dumb->flags at all. Someone should probably add some > checks for that, or mark it as deprecated in case we already > lost the battle with userspace stack garbage. Given that every kms client/compositor under the sun uses this (or well, all the generic ones at least) I think we can safely assume to have lost that battle :-/ -Daniel > > > -Daniel > > > > > --- > > > drivers/gpu/drm/qxl/qxl_dumb.c | 10 ++++++---- > > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl= _dumb.c > > > index 272d19b677..bed6d06ee4 100644 > > > --- a/drivers/gpu/drm/qxl/qxl_dumb.c > > > +++ b/drivers/gpu/drm/qxl/qxl_dumb.c > > > @@ -37,11 +37,13 @@ int qxl_mode_dumb_create(struct drm_file *file_pr= iv, > > > uint32_t handle; > > > int r; > > > struct qxl_surface surf; > > > - uint32_t pitch, format; > > > + uint32_t pitch, size, format; > > > > > > - pitch =3D args->width * ((args->bpp + 1) / 8); > > > - args->size =3D pitch * args->height; > > > - args->size =3D ALIGN(args->size, PAGE_SIZE); > > > + if (check_mul_overflow(args->width, ((args->bpp + 1) / 8), &pitch= )) > > > + return -EINVAL; > > > + if (check_mul_overflow(pitch, args->height, &size)) > > > + return -EINVAL; > > > + args->size =3D ALIGN(size, PAGE_SIZE); > > > > > > switch (args->bpp) { > > > case 16: > > > -- > > > 2.9.3 > > > > > > > -- > > Daniel Vetter > > Software Engineer, Intel Corporation > > http://blog.ffwll.ch > > _______________________________________________ > > dri-devel mailing list > > dri-devel@lists.freedesktop.org > > https://lists.freedesktop.org/mailman/listinfo/dri-devel > > -- > Ville Syrj=C3=A4l=C3=A4 > Intel > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel --=20 Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch