RE: [bug report] drm/amdkfd: CRIU checkpoint and restore queue mqds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dan,
Thank you for catching this. I will look into it and post a patch.

Regards,
David

-----Original Message-----
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> 
Sent: Friday, February 18, 2022 2:30 AM
To: Yat Sin, David <David.YatSin@xxxxxxx>
Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx; dri-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: [bug report] drm/amdkfd: CRIU checkpoint and restore queue mqds

Hello David Yat Sin,

The patch 42c6c48214b7: "drm/amdkfd: CRIU checkpoint and restore queue mqds" from Jan 25, 2021, leads to the following Smatch static checker warning:

	drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_mqd_manager_v9.c:344 restore_mqd()
	error: 'ctl_stack_size' from user is not capped properly

drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
   762        int kfd_criu_restore_queue(struct kfd_process *p,
   763                                   uint8_t __user *user_priv_ptr,
   764                                   uint64_t *priv_data_offset,
   765                                   uint64_t max_priv_data_size)
   766        {
   767                uint8_t *mqd, *ctl_stack, *q_extra_data = NULL;
   768                struct kfd_criu_queue_priv_data *q_data;
   769                struct kfd_process_device *pdd;
   770                uint64_t q_extra_data_size;
   771                struct queue_properties qp;
   772                unsigned int queue_id;
   773                int ret = 0;
   774
   775                if (*priv_data_offset + sizeof(*q_data) > max_priv_data_size)
   776                        return -EINVAL;
   777
   778                q_data = kmalloc(sizeof(*q_data), GFP_KERNEL);
   779                if (!q_data)
   780                        return -ENOMEM;
   781
   782                ret = copy_from_user(q_data, user_priv_ptr + *priv_data_offset, sizeof(*q_data));
   783                if (ret) {
   784                        ret = -EFAULT;
   785                        goto exit;
   786                }
   787
   788                *priv_data_offset += sizeof(*q_data);
   789                q_extra_data_size = q_data->ctl_stack_size + q_data->mqd_size;
                                          ^^^^^^^^^^^^^^^^^^^^^^ ctl_stack_size comes from the user a couple lines earlier.  It's a u32 and so is q_data->mqd_size.  This addition can have an integer overflow.

   790
   791                if (*priv_data_offset + q_extra_data_size > max_priv_data_size) {'
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Which means that this limit check doesn't work.

   792                        ret = -EINVAL;
   793                        goto exit;
   794                }
   795
   796                q_extra_data = kmalloc(q_extra_data_size, GFP_KERNEL);
   797                if (!q_extra_data) {
   798                        ret = -ENOMEM;
   799                        goto exit;
   800                }
   801
   802                ret = copy_from_user(q_extra_data, user_priv_ptr + *priv_data_offset, q_extra_data_size);
   803                if (ret) {
   804                        ret = -EFAULT;
   805                        goto exit;
   806                }


regards,
dan carpenter
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux