Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3599819pxb; Mon, 24 Jan 2022 13:12:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJz0qFDo6WK4WcCjQqey4Tp7EKHqI8MHTzhnZMXTc+EA+Vi41a/4Tw1ZHNj8dGxrPWiEMyhU X-Received: by 2002:a17:90b:164e:: with SMTP id il14mr194979pjb.90.1643058774442; Mon, 24 Jan 2022 13:12:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643058774; cv=none; d=google.com; s=arc-20160816; b=N8Yu+sVAz8NPSN1nTONFmddiIZbw5L/HgakcDhgYIs/SOx4xuKCz4jai6WQs1HOdVU zzWU05q40M9htA/ZDolsq5PwoJNisw2rMen2ugA2hME5t0ZJ+T9eZacrL4lLmXxefmWp aBCMiz9hlNDG4h3MLCed2DtXvbQg2WqgskF3t0et/xB7QOP1S62H+jmGJr/akyTPdYQx KKqM2E7DC2NzJfHL9kUnJHA3TX1rmsDbwEfC/ePCxgqJ5bZMoO8tBuFxVBQzo/TQ37RD NGCxnow2KWQARJoMwrsgL8K5o1TnY2zNr88rPYLsyrAIFJJnRlpIPxSk5RA8FRuqhhpW Unag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LYsNhbmKk1swk0CbODjTy5H5eFxjk5JwXD+CSIckhLo=; b=HRs59oKywtMDca0G19l7XG9WRi9VlsFZla9kBJAtb5/qg64I6ceHBBGYD78dfyMQ3+ gpZOSHTuEtkNBoVu9gggoskpxjccT3e6jYWXX+Jz4aT9LPXP4qJdn1V9y8IOZaHnY49b KsksyxTcftcNcHb0u07R3BBh9lVdsEUGme3YlHdiu3ZWykB///CNIMKWnpw5qgvAwHdw u7m841zffI+/PDIr1IWFyDxs7Hp95YRmHZiv9qqQktcIUSJYYKeXeGZJARRLWsVEyGxs YgPt6IqrWsnqxApSE666E2lk1yE0Hzi1ko87u7Z0zkhn7YFkAZbGoQLWzhlBMmuJVOwl hXfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QYGXJ9EJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x185si7066648pgd.359.2022.01.24.13.12.41; Mon, 24 Jan 2022 13:12:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QYGXJ9EJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1386817AbiAXUgB (ORCPT + 99 others); Mon, 24 Jan 2022 15:36:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238181AbiAXUNu (ORCPT ); Mon, 24 Jan 2022 15:13:50 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35473C0604DB; Mon, 24 Jan 2022 11:37:19 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F1E3FB811FC; Mon, 24 Jan 2022 19:37:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2B0D3C340E8; Mon, 24 Jan 2022 19:37:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643053036; bh=PZ01Hxh638HDPHNS+Dby+/D9eR2Rhd60+XYmAAGGGkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QYGXJ9EJz+NeqwlrOiQbiq8aHx8NGdAOZ511lzoPk/MpQz5pwZNM6NmLDOTkP6b5c cVfzpMEotmHO38rTawsMon8AMLbHX1fKZJhEuG72c0OTcV0j/HCGkaX+OftY1u3ds7 vD9doQ7qShRu0o0po3Pe0m8t2nOwRxNvKpinB6fI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Lucas Stach , Christian Gmeiner Subject: [PATCH 5.4 256/320] drm/etnaviv: limit submit sizes Date: Mon, 24 Jan 2022 19:44:00 +0100 Message-Id: <20220124184002.698750045@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lucas Stach commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. Currently we allow rediculous amounts of kernel memory being allocated via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put some reasonable limits in to fix this. The commandstream size is limited to 64KB, which was already a soft limit on older kernels after which the kernel only took submits on a best effort base, so there is no userspace that tries to submit commandstreams larger than this. Even if the whole commandstream is a single incrementing address load, the size limit also limits the number of potential relocs and referenced buffers to slightly under 64K, so use the same limit for those arguments. The performance monitoring infrastructure currently supports less than 50 performance counter signals, so limiting them to 128 on a single submit seems like a reasonably future-proof number for now. This number can be bumped if needed without breaking the interface. Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c @@ -471,6 +471,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ return -EINVAL; } + if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || + args->nr_bos > SZ_64K || args->nr_pmrs > 128) { + DRM_ERROR("submit arguments out of size limits\n"); + return -EINVAL; + } + /* * Copy the command submission and bo array to kernel space in * one go, and do this outside of any locks.