Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3556457pxb; Mon, 24 Jan 2022 12:08:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+tAru6QNzxfMXWHKsfeQDM3mshbssSoWurf3rzQnKdtnn9QSwCBrzEcc67raHkmPxA07Q X-Received: by 2002:a05:6a00:ac4:b0:4bd:6555:1746 with SMTP id c4-20020a056a000ac400b004bd65551746mr15533933pfl.39.1643054924558; Mon, 24 Jan 2022 12:08:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643054924; cv=none; d=google.com; s=arc-20160816; b=ab6UeQfw2k4hFgjv/rVyoUQqcsyBadGDIgD5aPaPRq8Jp54kpugaUXN26O36ALKq4w RHgEdOLhc3zOu/jNWXTpvm6efDkzJvoma4tguQhm2INPmWYrJMJQelpsEeSFp3D9SzMl 73Qk1gezsFVNXIecAfC9PEpBYeiTZ9XBT3C77BoXLI2QgQ3ybMtG2IKXyisw+r8U/sTt m1lZT4DEPITYCq5yuQHrLZ5xWx96OqNJM/Gz0LvUcM2e3LdTMG/nVo3CrTtYIpG011E1 f+d29rEOOALlWi3RI1Sz9N4YijIwLo5qFbxqv29jjHcuxtKEl8iTtGCaIhhn6Qzr5dtV 8blg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YLDCWTKke5hwNSoqN3J06ABtyzrbKH3ZedZGFcBq+yo=; b=qy9idoXDQala7o7OaQhcjVlfmKXloexlUQ80mTdOlJ5sFYQ6CeukRQTIJbiMdV9h76 lz9mRY40GIv6JygamqTEgDRFj8w3mw9zTB7pq9CYDArOtSMPz6luD35Hqcsyd4vhm6mF xbdhMA0u8nfMbatSWhB/g0XbfzEhU5rFtuSFPvljCDJ8Mc9oV3NcpNID2QvFkvzGTtQI kQ17cppSa3MoDWitMIzis5SY4T9LYsj+TkDoBN9DHSJFuNfsutf3aCrQJ/9h3BLkkiA5 VteO5zxNTTe1zrSMhR6RbxQ4Arynn07AmbdDXF6ZH3tExAvNuWgZNP3xmXs4QNwfnraz m5QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Idna65wm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i71si2727685pge.419.2022.01.24.12.08.32; Mon, 24 Jan 2022 12:08:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Idna65wm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346780AbiAXTIK (ORCPT + 99 others); Mon, 24 Jan 2022 14:08:10 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58958 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344722AbiAXTCB (ORCPT ); Mon, 24 Jan 2022 14:02:01 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BE2E8B8123F; Mon, 24 Jan 2022 19:01:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0E5DC340E5; Mon, 24 Jan 2022 19:01:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643050917; bh=HiMokRcWVrkWobPHLR9Q0PWQ6ThwoWIl6UQONrxaaJM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Idna65wm5caU5zLWG2RQ4s1u1fQci000oWjIEWhFHFOpwbUL1rQ3E2chFr/kNQtFM pHpKSVerWno8JUpMfM1tsmIxE1eYNEaAAaDy29RTFMYRBehzRqL4nauWxPOIz7uPE1 +UDSIhZaFu3YbgVFbDdnz/5IF1MHHkjZeYV490zk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Lucas Stach , Christian Gmeiner Subject: [PATCH 4.9 121/157] drm/etnaviv: limit submit sizes Date: Mon, 24 Jan 2022 19:43:31 +0100 Message-Id: <20220124183936.614611281@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183932.787526760@linuxfoundation.org> References: <20220124183932.787526760@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lucas Stach commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. Currently we allow rediculous amounts of kernel memory being allocated via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put some reasonable limits in to fix this. The commandstream size is limited to 64KB, which was already a soft limit on older kernels after which the kernel only took submits on a best effort base, so there is no userspace that tries to submit commandstreams larger than this. Even if the whole commandstream is a single incrementing address load, the size limit also limits the number of potential relocs and referenced buffers to slightly under 64K, so use the same limit for those arguments. The performance monitoring infrastructure currently supports less than 50 performance counter signals, so limiting them to 128 on a single submit seems like a reasonably future-proof number for now. This number can be bumped if needed without breaking the interface. Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c @@ -325,6 +325,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ return -EINVAL; } + if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || + args->nr_bos > SZ_64K || args->nr_pmrs > 128) { + DRM_ERROR("submit arguments out of size limits\n"); + return -EINVAL; + } + /* * Copy the command submission and bo array to kernel space in * one go, and do this outside of any locks.