On Thu, Mar 15, 2018 at 01:17:23PM +0000, Chris Wilson wrote:
> Quoting Dan Carpenter (2018-03-15 13:10:30)
> > Hello Chris Wilson,
> >
> > The patch 2889caa92321: "drm/i915: Eliminate lots of iterations over
> > the execobjects array" from Jun 16, 2017, leads to the following
> > static checker warning:
> >
> > drivers/gpu/drm/i915/i915_gem_execbuffer.c:2546 i915_gem_execbuffer_ioctl()
> > warn: calling '__copy_to_user()' without access_ok()
> >
> > drivers/gpu/drm/i915/i915_gem_execbuffer.c
> > 2510 err = copy_from_user(exec_list,
> > 2511 u64_to_user_ptr(args->buffers_ptr),
> > 2512 sizeof(*exec_list) * count);
> > 2513 if (err) {
> > 2514 DRM_DEBUG("copy %d exec entries failed %d\n",
> > 2515 args->buffer_count, err);
> > 2516 kvfree(exec_list);
> > 2517 kvfree(exec2_list);
> > 2518 return -EFAULT;
> > 2519 }
> > 2520
> > 2521 for (i = 0; i < args->buffer_count; i++) {
> > 2522 exec2_list[i].handle = exec_list[i].handle;
> > 2523 exec2_list[i].relocation_count = exec_list[i].relocation_count;
> > 2524 exec2_list[i].relocs_ptr = exec_list[i].relocs_ptr;
> > 2525 exec2_list[i].alignment = exec_list[i].alignment;
> > 2526 exec2_list[i].offset = exec_list[i].offset;
> > 2527 if (INTEL_GEN(to_i915(dev)) < 4)
> > 2528 exec2_list[i].flags = EXEC_OBJECT_NEEDS_FENCE;
> > 2529 else
> > 2530 exec2_list[i].flags = 0;
> > 2531 }
> > 2532
> > 2533 err = i915_gem_do_execbuffer(dev, file, &exec2, exec2_list, NULL);
> > 2534 if (exec2.flags & __EXEC_HAS_RELOC) {
> > 2535 struct drm_i915_gem_exec_object __user *user_exec_list =
> > 2536 u64_to_user_ptr(args->buffers_ptr);
> > 2537
> > 2538 /* Copy the new buffer offsets back to the user's exec list. */
> > 2539 for (i = 0; i < args->buffer_count; i++) {
> > 2540 if (!(exec2_list[i].offset & UPDATE))
> > 2541 continue;
> > 2542
> > 2543 exec2_list[i].offset =
> > 2544 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
> > 2545 exec2_list[i].offset &= PIN_OFFSET_MASK;
> > 2546 if (__copy_to_user(&user_exec_list[i].offset,
> > 2547 &exec2_list[i].offset,
> > ^^^^^^^^^^^^^^^^^^^^
> > 2548 sizeof(user_exec_list[i].offset)))
> > 2549 break;
> >
> > The story of this warning is that one day Linus was grumpy about
> > security issues and said something like, "We should make it a rule that
> > code which uses __copy_to_user() should call access_ok() in that exact
> > same function or it becomes too hard to audit and error prone. Can
> > someone write a static checker for this?" And so I did. But up to now
> > I've always just looked at the code and either figured out where the
> > access_ok() is or just assumed that "Probably it's there if I looked
> > harder".
> >
> > But today I've drawn a line in the sand! No more!
> >
> > Also the error code is wrong, we should return -EFAULT if the copy
> > fails. ;)
>
> There is an access_ok on that address earlier
Which function?
regards,
dan carpenter
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
