Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp784952ybe; Fri, 13 Sep 2019 06:21:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqw9G3hXiXLOcbJvXslPVQDNNhy6fbozv21o1+NfD/lwICF5DLcZNJX2BuZbk0FudiShwWq3 X-Received: by 2002:a05:6402:17ae:: with SMTP id j14mr47210544edy.219.1568380883872; Fri, 13 Sep 2019 06:21:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568380883; cv=none; d=google.com; s=arc-20160816; b=a275wd9hiAKov86WRgrLY/XI9UQJE6p2bf/Kvez2g3wjCw4VoqH/wgOdxpRPC14BEl 05XkAGjHBX2Z6nLJHkGfNNnmU+d8TsyQI7z28O9lEaI/GKGZvGt2w3qdMJSbs5qMMEUf CGhpMVQFI1FAhGNw2o7uVy4nSOTKKFAwH1bkcnYImI7NzSpU7+qdKcF/plVQuB/Gu8XN FDdqdT2ys+gRot7noNec+Vjgz7j+8HVbSumdm9PW6gSpA7xHLAubvUA/0ciQpifBa4bS 3vtoyd3NSiylhbRq49U1eC1f+gy8BmVtA/sW4tZBoYdFduldJvWhIyhY1zDugBK0OpSa kiPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=m4SeIM7X5uKEhrhUdcInHl+M0QpJBAehrHaAVPnDsLc=; b=gT3Y8pFEzXpTsveHuQcANxtwVGX2oqxdAJB4dnYB0fpKZ2HRUDTh9ha/Std6yn3QnI VLTC9BH0cq0hi70NVX4gfXCL8sLqTNr7t0c9PYkSKwl6zWY0qMjvxYlzKgjiwioCakNd UQqUPOUOyRVbR6quJvKSSIJd96IHzFu0bxHneFB7i1jxjTdVOUDa1+QEVXKPAmJJilhW 7sRsXBCT4Rct8XLgwRncScf9adsGRFJt9qjW5cMbFOqBLIpV7YmpX+mN3T5WWeH5g4+a E0LJuAIpXZCROf2NjVgg5anSZ7LTJGtb6xzvit8vw0aDvJoPZOGXEWuyM7CP07ZLYlJh Vmkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2Q9p+9pi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c17si14557359ejm.334.2019.09.13.06.21.00; Fri, 13 Sep 2019 06:21:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2Q9p+9pi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389841AbfIMNQU (ORCPT + 99 others); Fri, 13 Sep 2019 09:16:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:43002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388932AbfIMNQT (ORCPT ); Fri, 13 Sep 2019 09:16:19 -0400 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 165F8206A5; Fri, 13 Sep 2019 13:16:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568380578; bh=kQb2lO5SeC/552C3y6/UkLfJlBEviMXtrHmh+PN1ors=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Q9p+9piCSU+U0ian/02WO7q8Y7lNOxlKfKrDSPZa1j1n99SJXwzpFy65/cDsL1GD O3D/1fLy3Z8odN8KtjCqNm0iS7IPkwiuPNZLznNGxGf5hrOmPrILP5SMKRgN6B25bh oGw7PTPMX16gjTA+4RsoN7CZGv1fL2gWNxB2hTX4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antonio Argenziano , Chris Wilson , Joonas Lahtinen , Tvrtko Ursulin , Rodrigo Vivi , Sasha Levin Subject: [PATCH 4.19 109/190] drm/i915: Sanity check mmap length against object size Date: Fri, 13 Sep 2019 14:06:04 +0100 Message-Id: <20190913130608.433465428@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190913130559.669563815@linuxfoundation.org> References: <20190913130559.669563815@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 ] We assumed that vm_mmap() would reject an attempt to mmap past the end of the filp (our object), but we were wrong. Applications that tried to use the mmap beyond the end of the object would be greeted by a SIGBUS. After this patch, those applications will be told about the error on creating the mmap, rather than at a random moment on later access. Reported-by: Antonio Argenziano Testcase: igt/gem_mmap/bad-size Signed-off-by: Chris Wilson Cc: Antonio Argenziano Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Cc: stable@vger.kernel.org Reviewed-by: Tvrtko Ursulin Reviewed-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk (cherry picked from commit 794a11cb67201ad1bb61af510bb8460280feb3f3) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin --- drivers/gpu/drm/i915/i915_gem.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 9634d3adb8d01..9372877100420 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1874,8 +1874,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, * pages from. */ if (!obj->base.filp) { - i915_gem_object_put(obj); - return -ENXIO; + addr = -ENXIO; + goto err; + } + + if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { + addr = -EINVAL; + goto err; } addr = vm_mmap(obj->base.filp, 0, args->size, @@ -1889,8 +1894,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, struct vm_area_struct *vma; if (down_write_killable(&mm->mmap_sem)) { - i915_gem_object_put(obj); - return -EINTR; + addr = -EINTR; + goto err; } vma = find_vma(mm, addr); if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) @@ -1908,12 +1913,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, i915_gem_object_put(obj); args->addr_ptr = (uint64_t) addr; - return 0; err: i915_gem_object_put(obj); - return addr; } -- 2.20.1