[PATCH] drm: Limit to INT_MAX in create_blob ioctl

Daniel Vetter <daniel.vetter@xxxxxxxx> · Wed, 6 Nov 2019 17:47:55 +0100

The hardened usercpy code is too paranoid ever since:

commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Wed Nov 6 16:07:01 2019 +1100

    uaccess: disallow > INT_MAX copy sizes

Code itself should have been fine as-is.

Reported-by: syzbot+fb77e97ebf0612ee6914@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>
Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
--
Kees/Andrew,

Since this is -mm can I have a stable sha1 or something for
referencing? Or do you want to include this in the -mm patch bomb for
the merge window?
-Daniel
---
 drivers/gpu/drm/drm_property.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 892ce636ef72..6ee04803c362 100644
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
 	struct drm_property_blob *blob;
 	int ret;
 
-	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
+	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
 	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
-- 
2.24.0.rc2

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel







