Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp191916rwe; Fri, 14 Apr 2023 00:58:26 -0700 (PDT) X-Google-Smtp-Source: AKy350aVsHUZD4zQLF7Qglz4MCDgRKHV8FbPuq1LOfYNfNIzRfwIK2cg3DOpM3kwefwlJvFcNQgk X-Received: by 2002:a17:90a:468c:b0:244:ae65:8a8d with SMTP id z12-20020a17090a468c00b00244ae658a8dmr5027329pjf.31.1681459105756; Fri, 14 Apr 2023 00:58:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681459105; cv=none; d=google.com; s=arc-20160816; b=qGOuKG8za83dRC/MKLluhD4gioVZ9+qNKYsgbg8GHlupVvaPEeri5EVvmOxa7v7kz5 o6/tSQ8sCKnk9e/P6DtbRqSWJ7UnkFOZx5DmCjmvwKq3AYq2OzCFI+4AXQuUT8YzQTNf x4ijLFveNnAa+z1RrTD0BO/Or5mn1y8YH7zvLx5S/+v7bxU9bvER6V+AtDKEOb0cxCnz jKZylQKa+bfAs1zOYIJxzxXtMrP17smY/v227DjwCQPs9gSGou/SDkEeeMETsD3AP9r8 QnMIVrxhKTdVdPF4re0d8DiFeuQhMQwiKzcwkRA9a56y1HVLTzwnwbGSEgk+QV8rYFAN stRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=HX2r5dtqKV/2C2mwITf+tmDjaCFC07LGdrxM2/zq5mY=; b=Vp4YkN7aZ5Jur3KtiWZyUVTEg4tFZQOke7leqHr+XJh2v9qUB8KNgtO4t6yqChVAW/ /k1CPlFks7AH65wRw2bo/wW7fQKZ72gveOspDkwpZEsyqPriu4ClFixmTjypEoFCUywm OPSg/rWhGbI1PfHN9U136Hehe4n8CotdWdWEQbE6ELZFq0Mks2KaGdoZLO1IShSZIeNI BVD8TL8wJK3W4HbK9KQ0xNyE+A8+NKgPY1VfcLgtqJ3WgKP5gtnqevfZ60uxjMxP2LAH mUeyh2+s5D2rEs/IrM4n16Ips60mpPddh2b8BqUqwytTWw6ruDgXdTak4VptV8hLjb8d +vcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=ZcxcspjH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e7-20020a6558c7000000b00513218b46b1si4136845pgu.385.2023.04.14.00.58.12; Fri, 14 Apr 2023 00:58:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=ZcxcspjH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229814AbjDNH5I (ORCPT + 99 others); Fri, 14 Apr 2023 03:57:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229933AbjDNH4y (ORCPT ); Fri, 14 Apr 2023 03:56:54 -0400 Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DF627AAB for ; Fri, 14 Apr 2023 00:56:52 -0700 (PDT) Received: by mail-oi1-x235.google.com with SMTP id z16so11172534oib.9 for ; Fri, 14 Apr 2023 00:56:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1681459011; x=1684051011; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HX2r5dtqKV/2C2mwITf+tmDjaCFC07LGdrxM2/zq5mY=; b=ZcxcspjHZccEylJwyzfpxUmLL3EA2L9/WeFRA056Up8mdGav5ZoTcCmmQ6eAarn9ag pe2upzhypDiyWVk2sCONlU+Xl6U+m8pa4Y6bMsWEZGKOQ5u/j3TLLOGf0+2UgP14f3Gy QTAET00puVvPYfclpJRUwDZfag2GoxyCZmV4g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681459011; x=1684051011; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HX2r5dtqKV/2C2mwITf+tmDjaCFC07LGdrxM2/zq5mY=; b=VOXJo+LTw8NdsmhBRcNOa1P1VdXNfVfpwFfEDkJ/M8ge0NGvvFWjOKoWCIWGzY18TI nHveQFvwRoS/Gs4JhztUkogf/u2uC64ptMN9wSsfty8QSmnsTD0hrZmVAqok+FeOlGO8 04AI66NkRPaMzPHtWOl8/o8oKtvQqUG13o98cxJmurw4rWJ8aGH3NnNFN2eBHPxQdll7 g6bp3QJOWF6wfBx54rvOjVmAIj/Z3MNclhqK9v+Mlzt0nVbJiQF1iQSj8+fGCkpVLO7l I0gxkLEn68qhwXRZwYuDl7Vz3HQbBmDtLDpOGYkaklWKOgWsPEo15gUoYau+5KrqhNGZ y6mw== X-Gm-Message-State: AAQBX9ffnCtgWok3PWqLNFfhw6/FaX9meG5get/kmHM9XdBWdTtTpD91 HthsIUsbtGxuEIGuyv6g1LYnh7MmZxlY5NwISSPerg== X-Received: by 2002:aca:df06:0:b0:38c:319c:2f6f with SMTP id w6-20020acadf06000000b0038c319c2f6fmr529838oig.8.1681459011345; Fri, 14 Apr 2023 00:56:51 -0700 (PDT) MIME-Version: 1.0 References: <20230409132110.494630-1-15330273260@189.cn> <42f16d0d-4e1a-a016-f4cc-af24efa75f1c@189.cn> <531f0bdf-2ae8-0361-183b-57b40df6345f@189.cn> <1bbc7228-c2fe-0af0-c15c-b378bc4d111c@suse.de> <1b44a3b5-5053-f121-ee62-de83d505759e@189.cn> <410baaef-bc55-cb2a-2e92-a407ce5cad04@suse.de> In-Reply-To: <410baaef-bc55-cb2a-2e92-a407ce5cad04@suse.de> From: Daniel Vetter Date: Fri, 14 Apr 2023 09:56:39 +0200 Message-ID: Subject: Re: [PATCH] drm/fbdev-generic: fix potential out-of-bounds access To: Thomas Zimmermann Cc: Sui Jingfeng <15330273260@189.cn>, Maarten Lankhorst , Maxime Ripard , David Airlie , Li Yi , Helge Deller , Lucas De Marchi , linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, loongson-kernel@lists.loongnix.cn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 14 Apr 2023 at 09:34, Thomas Zimmermann wrote= : > > Hi > > Am 14.04.23 um 07:36 schrieb Daniel Vetter: > > On Fri, 14 Apr 2023 at 06:24, Sui Jingfeng <15330273260@189.cn> wrote: > >> > >> Hi, > >> > >> On 2023/4/14 04:01, Daniel Vetter wrote: > >>> On Thu, Apr 13, 2023 at 09:20:23PM +0200, Thomas Zimmermann wrote: > >>>> Hi > >>>> > >>>> Am 13.04.23 um 20:56 schrieb Daniel Vetter: > >>>> [...] > >>>>> This should switch the existing code over to using drm_framebuffer = instead > >>>>> of fbdev: > >>>>> > >>>>> > >>>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_= fb_helper.c > >>>>> index ef4eb8b12766..99ca69dd432f 100644 > >>>>> --- a/drivers/gpu/drm/drm_fb_helper.c > >>>>> +++ b/drivers/gpu/drm/drm_fb_helper.c > >>>>> @@ -647,22 +647,26 @@ static void drm_fb_helper_damage(struct drm_f= b_helper *helper, u32 x, u32 y, > >>>>> static void drm_fb_helper_memory_range_to_clip(struct fb_info *= info, off_t off, size_t len, > >>>>> struct drm_rect *clip) > >>>>> { > >>>>> + struct drm_fb_helper *helper =3D info->par; > >>>>> + > >>>>> off_t end =3D off + len; > >>>>> u32 x1 =3D 0; > >>>>> u32 y1 =3D off / info->fix.line_length; > >>>>> - u32 x2 =3D info->var.xres; > >>>>> - u32 y2 =3D DIV_ROUND_UP(end, info->fix.line_length); > >>>>> + u32 x2 =3D helper->fb->height; > >>>>> + unsigned stride =3D helper->fb->pitches[0]; > >>>>> + u32 y2 =3D DIV_ROUND_UP(end, stride); > >>>>> + int bpp =3D drm_format_info_bpp(helper->fb->format, 0); > >>>> Please DONT do that. The code here is fbdev code and shouldn't bothe= r about > >>>> DRM data structures. Actually, it shouldn't be here: a number of fbd= ev > >>>> drivers with deferred I/O contain similar code and the fbdev module = should > >>>> provide us with a helper. (I think I even had some patches somewhere= .) > >>> Well my thinking is that it's a drm driver, > >> > >> Yes, I actually agree with this, and the code looks quite good. And I > >> really want to adopt it. > >> > >> Because here is DRM, we should emulate the fbdev in the DRM's way. > >> > >> The DRM is really the big brother on the behind of emulated fbdev, > >> > >> who provide the real displayable backing memory and scant out engine t= o > >> display such a buffer. > >> > >> > >> But currently, the fact is, drm_fb_helper.c still initializes lots of > >> data structure come from fbdev world. > >> > >> For example, the drm_fb_helper_fill_fix() and drm_fb_helper_fill_var() > >> in drm_fb_helper_fill_info() function. > >> > >> This saying implicitly that the fbdev-generic is a glue layer which co= py > >> damage frame buffer data > >> > >> from the front end(fbdev layer) to its drm backend. It's not a 100% > >> replacement its fbdev front end, > >> > >> rather, it relay on it. > >> > >> > >>> so if we have issue with limit > >>> checks blowing up it makes more sense to check them against drm limit= s. > >>> Plus a lot more people understand those than fbdev. They should all m= atch > >>> anyway, or if they dont, we have a bug. > >> > >> Yes, this is really what I'm worry about. > >> > >> I see that members of struct fb_var_screeninfo can be changed by > >> user-space. For example, xoffset and yoffset. > >> > >> There is no change about 'info->var.xres' and 'info->var.yres' from th= e > >> userspace, > >> > >> therefore, they should all match in practice. > >> > >> > >> User-space can choose a use a smaller dispaly area than 'var.xres x > >> var.yres', > >> > >> but that is implemented with 'var.xoffset' and 'var.xoffset'. > >> > >> But consider that the name 'var', which may stand for 'variation' or > >> 'vary'. This is terrifying. > >> > >> I imagine, with a shadow buffer, the front end can do any modeset on t= he > >> runtime freely, > >> > >> including change the format of frame buffer on the runtime. Just do n= ot > >> out-of-bound. > >> > >> The middle do the conversion on the fly. > >> > >> > >> We might also create double shadow buffer size to allow the front end = to > >> pan? > > > > Yeah so the front should be able to pan. And the front-end can > > actually make xres/yres smalle than drm_fb->height/width, so we _have_ > > to use the fb side of things. Otherwise it's a bug I just realized. > > What are you talking about? The GEM buffer is a full fbdev framebuffer, > which is screen resolution multiplied by the overall factor. The shadow > buffer is exactly the same size. You can already easily pan within these > buffers. > > There's also no need/way to change video modes or formats in the shadow > buffer. If we'd ever support that, it would be implemented in the DRM > driver's modesetting. The relationship between GEM buffer and shadow > buffer remains unaffected by this. Try it and be amazed :-) I've seen enough syzkaller bugs and screamed at them that yes we do this. Also xres/yres is the wrong thing even if you don't use fb ioctl to change things up in multi-monitor cases (we allocate the drm_fb/fbdev virtual size to match the biggest resolution, but then set fbinfo->var.x/yres to match the smallest to make sure fbcon is fully visible everywhere). I think you're confusion is the perfect case for why we really should use fb->height/width/pitches[0] here. -Daniel > > Best regards > Thomas > > > > > The xres_virtual/yres_virtual should always match drm_fb sizes (but > > we've had bugs in the past for that, only recently fixed all in > > linux-next), because that's supposed to be the max size. And since we > > never reallocate the fbdev emulation fb (at least with the current > > code) this should never change. > > > > But fundamentally you're bringing up a very good point, we've had > > piles of bugs in the past with not properly validating the fbdev side > > information in info->var, and a bunch of resulting bugs. So validating > > against the drm side of things should be a bit more robust. > > > > It's kinda the same we do for legacy kms ioctls: We translate that to > > atomic kms as fast as possible, and then do the entire subsequent > > validation with atomic kms data structures. > > -Daniel > > > >>> The thing is, if you change this > >>> further to just pass the drm_framebuffer, then this 100% becomes a dr= m > >>> function, which could be used by anything in drm really. > >> > >> I agree with you. > >> > >> If I use fb_width/fb_height directly and bypassing 'info->var.xres" an= d > >> "info->var.yres", > >> > >> the code style diverged then. As far as I am understanding, the clip > >> happen on the front end, > >> > >> the actual damage update happen at back end. > >> > >> Using the data structure come with the front end is more reasonable fo= r > >> current implement. > >> > >>> But also *shrug*. > >> > >> I can convert this single function to 100% drm with another patch. > >> > >> But, maybe there also have other functions are not 100% drm > >> > >> I would like do something to help achieve this in the future, > >> > >> let me help to fix this bug first? > >> > >>> -Daniel > > > > > > > > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Maxfeldstr. 5, 90409 N=C3=BCrnberg, Germany > (HRB 36809, AG N=C3=BCrnberg) > Gesch=C3=A4ftsf=C3=BChrer: Ivo Totev --=20 Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch