Re: [PATCH 1/8] drm/fb: More paranoia in addfb checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 15, 2019 at 1:44 PM Ville Syrjälä
<ville.syrjala@xxxxxxxxxxxxxxx> wrote:
>
> On Fri, Nov 15, 2019 at 10:21:13AM +0100, Daniel Vetter wrote:
> > - Our limit is uint32_t, make that explicit.
> >
> > - Untangle the one overflow check, I think (but not sure) that with
> >   all three together you could overflow the uint64_t and it'd look
> >   cool again.
>
> It can't overflow. All theree inputs are u32 so the max value
> you can get is 0xffffffff00000000.

Hm right, I just checked, I guess I should have beforehand.

> > Hence two steps. Also go with the more common (and imo
> >   safer approach)
>
> Also results in multiple divisions which is needlessly expensive.
> The original is just mul+add.
>
> > of reducing the range we accept, instead of trying
> >   to compute the overflow in high enough precision.
> >
> > - The above would blow up if we get a 0 pitches, so check for that
> >   too, but only if block_size is a thing.
> >
> > Cc: Pekka Paalanen <pekka.paalanen@xxxxxxxxxxxxxxx>
> > Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
> > ---
> >  drivers/gpu/drm/drm_framebuffer.c | 17 +++++++++++------
> >  1 file changed, 11 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
> > index 57564318ceea..3141c6ed6dd2 100644
> > --- a/drivers/gpu/drm/drm_framebuffer.c
> > +++ b/drivers/gpu/drm/drm_framebuffer.c
> > @@ -214,15 +214,20 @@ static int framebuffer_check(struct drm_device *dev,
> >                       return -EINVAL;
> >               }
> >
> > -             if (min_pitch > UINT_MAX)
> > +             if (min_pitch > U8_MAX)
>
> U8?

Oh dear, some patch editing gone really wrong. I think I'll drop this
one here, not doing any good :-)
-Daniel

>
> >                       return -ERANGE;
> >
> > -             if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
> > -                     return -ERANGE;
> > +             if (block_size) {
> > +                     if (r->pitches[i] < min_pitch) {
> > +                             DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
> > +                             return -EINVAL;
> > +                     }
> >
> > -             if (block_size && r->pitches[i] < min_pitch) {
> > -                     DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
> > -                     return -EINVAL;
> > +                     if (height > U8_MAX / r->pitches[i])
> > +                             return -ERANGE;
> > +
> > +                     if (r->offsets[i] > U8_MAX / r->pitches[i] - height)
> > +                             return -ERANGE;
> >               }
> >
> >               if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
> > --
> > 2.24.0
> >
> > _______________________________________________
> > Intel-gfx mailing list
> > Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.freedesktop.org/mailman/listinfo/intel-gfx
>
> --
> Ville Syrjälä
> Intel



-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux