Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3728089pxb; Mon, 24 Jan 2022 16:30:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJyCyH3UBRZ91YTueOMjn7Swky7OYPUz+t6ANz8kz/kze4MO9IzklRY3n+a+iYS9YuQ9fuIQ X-Received: by 2002:a62:2fc5:0:b0:4c9:ffc:6e6 with SMTP id v188-20020a622fc5000000b004c90ffc06e6mr6812255pfv.43.1643070616455; Mon, 24 Jan 2022 16:30:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643070616; cv=none; d=google.com; s=arc-20160816; b=cKlvG1l7oos/v+I4Y4Xfj9EH7/ECncF0/ZHb979TpmlL8BodwLV+cmnBv7W+pJ4LCW NSNUAh8HQBS0kKThwjL04fCpqJ9LXlnmXOxYnX0iJtAnc4Xgxq6HaCczSJfItcIGROEA zeMnMIuQnrXOU9UJWrve55jy1eezqwcKTn59HoYa5UlHkGQgtsohQcOWmbyuDoc69AoX NLlGsXIF6LdN49KVS3cLgZn7le5YxIRa2rswr0QSaerqcmPf9ZS84rvS2D3U9a+4RbJU AwouTkiAGMrk71n5llRgwcuC8iztwhTOCJ7HbfmqDCZVo/c+/G2rsNq+b0sd2OuGdeD4 yOEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OD1fN8UDM/U6oLD9GsCIRRMXKvkV7uX0B7gO04bIwzE=; b=EB/YIqp3jo0WgB6VKUA7+ih/UfaMOPfCj5/X+1UNgPPQ46re1Hxhp7O7zSmWN4xodn 3bUFJoE2zuDT8QuqVwBYFpEQ0Iodh3XZLATYOarsnZqfjGC/2gHYxyINVG++jY3RoiHB SIBQEJ+itTlU/Ct2M6ussHqSd7Az29h4XU29aHKhQE711Pk3SsSLFfKvfughGtSAJJhd 8WX+bIpGDi9YogHmxPxi+0MOfwNSIEuHk8Jvrvqo3/nu7xZdFs3R+Wlm9Fsske3CeYWV 1IdIOQaqlE5LsjKOG9QgnGqWsPC1W4pYccjq/Y5VX8YgZ9HNQR+lwRa+CgRqWZ9ao5jH JWmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CMNyH+U1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 145si14565553pga.75.2022.01.24.16.30.01; Mon, 24 Jan 2022 16:30:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CMNyH+U1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S3408218AbiAYAWC (ORCPT + 99 others); Mon, 24 Jan 2022 19:22:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385259AbiAXXeJ (ORCPT ); Mon, 24 Jan 2022 18:34:09 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 112DDC07597B; Mon, 24 Jan 2022 13:36:05 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A51B061028; Mon, 24 Jan 2022 21:36:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8AB43C340E4; Mon, 24 Jan 2022 21:36:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643060164; bh=A2EUI144kMYsLayEJBAsTA84cPoFnieVulthcDcdZcE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CMNyH+U1Y1Iii6a0Cf4eJxXfhlY7TEJTLQjZVoVibRxmSF91hjny+zLCll5Lyz//b biwAeXW79WDqE6daTtJcRK9zm/iQqIdNLWR5ib6dgdR+MI/A0Gs34NFPj8hrhlAnYc jTYYZNfcgeobyVPdkSQrLdldHyU2vM+uY8VloFoA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Lucas Stach , Christian Gmeiner Subject: [PATCH 5.16 0860/1039] drm/etnaviv: limit submit sizes Date: Mon, 24 Jan 2022 19:44:09 +0100 Message-Id: <20220124184154.205642921@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lucas Stach commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. Currently we allow rediculous amounts of kernel memory being allocated via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put some reasonable limits in to fix this. The commandstream size is limited to 64KB, which was already a soft limit on older kernels after which the kernel only took submits on a best effort base, so there is no userspace that tries to submit commandstreams larger than this. Even if the whole commandstream is a single incrementing address load, the size limit also limits the number of potential relocs and referenced buffers to slightly under 64K, so use the same limit for those arguments. The performance monitoring infrastructure currently supports less than 50 performance counter signals, so limiting them to 128 on a single submit seems like a reasonably future-proof number for now. This number can be bumped if needed without breaking the interface. Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c @@ -469,6 +469,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ return -EINVAL; } + if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || + args->nr_bos > SZ_64K || args->nr_pmrs > 128) { + DRM_ERROR("submit arguments out of size limits\n"); + return -EINVAL; + } + /* * Copy the command submission and bo array to kernel space in * one go, and do this outside of any locks.