Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1755434lqo; Sat, 18 May 2024 18:58:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV5nfqxKeGSZBM2QiDITS1cJ9RccF/1ch8dt7wkidR9XoeWZ6+f7FOOUKI09dqW3z9/fj6KUtJqe28LzLmqZ2DNHUoJq6o+Drzim6LcrA== X-Google-Smtp-Source: AGHT+IGjPQol9LonrngddTxiqgb62qIw+jfETRYGJQwnSRqAzj/2fZk4Gk5mq2sw44T6nqytL37s X-Received: by 2002:a05:6808:14c3:b0:3c9:c456:9590 with SMTP id 5614622812f47-3c9c45696b5mr10459896b6e.28.1716083938207; Sat, 18 May 2024 18:58:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716083938; cv=pass; d=google.com; s=arc-20160816; b=a48kxJ2EtRgpuwQceteDrGSbB5HXrmKo7VuBTVyLtef2E0NikC4rZGe1hzp4LxtngA L1ppUVqumI/Ym1H03KRe9R65lr6/t0idN7xuqcrVDbvjnvIu1yoelMPNoNsqYE6ojD9x yeJA2UiXMJp/pZNeKv1LwjI+N/a1eM1DZMIPm+MgibzW6d6zp0cFpra7/o8ClGqYCqL5 ovc1AGWaExeJRRCnvqscpS2jNbI0xUONiAw/OFwp8fZmyvhJ5ra/Xdm375t7FOCZ1JaF Xr6KKRcrasAEWC0rDL4wJw/BKvKihK89XKphGsmCXepjwsIjsvT3z1RXwquZTBZS81x6 r3Zg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id; bh=F7458sednDMkA61rPX+5ifYDitaWWHQJ732s3dhEV0Q=; fh=KTY0ASGmrzXYyDWFGCqX1UiUBOE7pT76QbfbwjDfHQ8=; b=lKSUlbXoCpG+ilbvSSRISL2BBNG/szyoD4EkOVXA1ZpnZ3P6hSE294WpyJlg0TEBpy ehoG/i+U/smHlU5pPsJQK1WpD4rIN4P7YeM/gkdVchgc4DEmbBnpj4Vrzcg4nLNtG9Aj j+wXoaD0OtYZLMsvLAXHB+h/p2LVMIPJrvzJldR3dIGGQ9tDfK8w2Nk9nWYw/jYVItbH y0Jwm4z8hHRhXXM49ff6HDsD5iSTOK4FxhpDgNAB9PcFTbaGEn4+Iky/S4a4IgqPNFPs dYfUQeVSL43dX0OWQuGNiDRBXD5li/rJq4hVlrfZ4ZY9UJ8U0/wk6EzHbDbVjwpXeyVT zicg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=perches.com); spf=pass (google.com: domain of linux-kernel+bounces-183016-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-183016-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-63b72fc8583si342545a12.840.2024.05.18.18.58.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 18:58:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-183016-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=perches.com); spf=pass (google.com: domain of linux-kernel+bounces-183016-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-183016-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A4D2F281B90 for ; Sun, 19 May 2024 01:58:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 887DF525E; Sun, 19 May 2024 01:58:51 +0000 (UTC) Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9367A39B; Sun, 19 May 2024 01:58:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=216.40.44.17 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716083931; cv=none; b=E2XWJ7dP8evJjOqdjiQh0UKhyVl75p9ac+8Zw6bhfrb5kbRt/H0X8kWWC5XAOJVd+jk4CoyJ+zp7ciuRLgPG4A277PUiazz69AIdd9OaYeb8HK8PY4zH9O95mNXCxqk/mV5Cc7rQeon0pd3HZvS+iC8eu51z8COIgsUqrFBIZqg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716083931; c=relaxed/simple; bh=v5NrZs6GuCD77xD6BSwxwS3QTpgJ5pqa2G3WKOEcpWc=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=SNOcpSN8qXpgi7i1HHsmfa95z8LRRGECVM7qey6OT+5RHWEQrHaT4Tsg44m1QD62tRts47TUzj1A65Zap7T7LP8TpK1z3HcZnVhQHxhpywhbjkAd1F+PdoO6/xWE2px03t26aTbOTymi92fiok4z2lMtknLCkcnFi5d3628d+ls= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=perches.com; spf=pass smtp.mailfrom=perches.com; arc=none smtp.client-ip=216.40.44.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=perches.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=perches.com Received: from omf08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 0BF52C056A; Sun, 19 May 2024 01:19:24 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: joe@perches.com) by omf08.hostedemail.com (Postfix) with ESMTPA id A84B020027; Sun, 19 May 2024 01:19:19 +0000 (UTC) Message-ID: <03cc262da2a3db817aa5663fbce6c914708b74f8.camel@perches.com> Subject: Re: [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows From: Joe Perches To: Guenter Roeck , Kees Cook , Christophe JAILLET Cc: airlied@gmail.com, dakr@redhat.com, daniel@ffwll.ch, dri-devel@lists.freedesktop.org, jani.nikula@intel.com, javierm@redhat.com, kherbst@redhat.com, linux-kernel@vger.kernel.org, lyude@redhat.com, mripard@kernel.org, nouveau@lists.freedesktop.org, tzimmermann@suse.de, linux-hardening@vger.kernel.org Date: Sat, 18 May 2024 18:19:18 -0700 In-Reply-To: References: <20240518143743.313872-1-linux@roeck-us.net> <34a6d812-b4ed-4465-b0ec-e641d185b9b1@wanadoo.fr> <202405181020.2D0A364F@keescook> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Queue-Id: A84B020027 X-Stat-Signature: w3iik6tbsay1qy16e34mbnwb8cwgnmib X-Rspamd-Server: rspamout01 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Session-ID: U2FsdGVkX19bAkmZyo+dJgltxs9NfI23KEnolHXqvm0= X-HE-Tag: 1716081559-138596 X-HE-Meta: U2FsdGVkX1/NTsnVtjEKYHeeHCzZZWbJc+2s8OyWMfrImO+5aFN+RcWD+M6lUiPJt90JXXVs6VNH9RVnjo0SIbesh5wlYX/L1/Js40Zh10YqeTQ4A1BqQx71+JOEhyzPPcQvSopjounJG+N+Brc38ie+i/JEzH6Hx+tyhKpHLgy47jtUB0yWXaMZQ8gWS8Q8j6gtIR05ZXdxHqPou0c2d1TrTLTjCo1chif3e5HhxrwGcOM7bFFJ928ZMzqD6+OMWtKPVnqWIDQNS5IvOUo7UGzlQBvO+QZ0jEPkO3HnATz0taCXaujQL+UZNKdHjWp3 On Sat, 2024-05-18 at 11:23 -0700, Guenter Roeck wrote: > On 5/18/24 10:32, Kees Cook wrote: >=20 [] > > I think the INT_MAX test is actually better in this case because > > nvif_object_ioctl()'s size argument is u32: > >=20 > > ret =3D nvif_object_ioctl(object, args, sizeof(*args) + size, NULL); > > ^^^^^^^^^^^^^^^^^^^^ > >=20 > > So that could wrap around, even though the allocation may not. > >=20 > > Better yet, since "sizeof(*args) + size" is repeated 3 times in the > > function, I'd recommend: > >=20 > > ... > > u32 args_size; > >=20 > > if (check_add_overflow(sizeof(*args), size, &args_size)) > > return -ENOMEM; > > if (args_size > sizeof(stack)) { > > if (!(args =3D kmalloc(args_size, GFP_KERNEL))) trivia: More typical kernel style would use separate alloc and test args =3D kmalloc(args_size, GFP_KERNEL); if (!args) > > return -ENOMEM; > > } else { > > args =3D (void *)stack; > > } > > ... > > ret =3D nvif_object_ioctl(object, args, args_size, NULL); > >=20 > > This will catch the u32 overflow to nvif_object_ioctl(), catch an > > allocation underflow on 32-bits systems, and make the code more > > readable. :) > >=20 >=20 > Makes sense. I'll change that and send v2. >=20 > Thanks, > Guenter >=20 >=20