On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote:
> The hardened usercpy code is too paranoid ever since:
>
> commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
> Author: Kees Cook <keescook@xxxxxxxxxxxx>
> Date: Wed Nov 6 16:07:01 2019 +1100
>
> uaccess: disallow > INT_MAX copy sizes
>
> Code itself should have been fine as-is.
>
> Reported-by: syzbot+fb77e97ebf0612ee6914@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>
> Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
> --
> Kees/Andrew,
>
> Since this is -mm can I have a stable sha1 or something for
> referencing? Or do you want to include this in the -mm patch bomb for
> the merge window?
> -Daniel
> ---
> drivers/gpu/drm/drm_property.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 892ce636ef72..6ee04803c362 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
INT_MAX should be more than enough.
Reviewed-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
> --
> 2.24.0.rc2
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Ville Syrjälä
Intel
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
