git.maquefel.me Git - linux.git/commit

author	Paulo Zanoni <paulo.r.zanoni@intel.com>
	Mon, 26 Jun 2023 21:22:20 +0000 (14:22 -0700)
committer	Rodrigo Vivi <rodrigo.vivi@intel.com>
	Thu, 21 Dec 2023 16:35:05 +0000 (11:35 -0500)
commit	7f38e1e1063e1b9b2c8368c741ff5e679091e9f8
tree	9da788caaa1c2071a306c470c71e75906fea5f21	tree \| snapshot
parent	f07d9a615b7b257bf2c2197262769286ddc75109	commit \| diff

drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl

There's this shared machine running xe.ko and I often log in to see my
tmux corrupted by messages such as:

usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446660151965198754)!

I also sometimes see:

kernel BUG at mm/usercopy.c:102!

Someone is running a program that's definitely submitting random
numbers to this ioctl. If you pass width=65535 and
num_placements=32769 then you get a negative 'len', which avoids the
EINVAL check, leading to the bug.

Switch 'len' to u32. It is the result of the multiplication of two u16
numbers, so it won't be able to overflow back into smaller numbers as
an u32.

v2: Make len u32 instead of checking for <=0 (José).

Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://lore.kernel.org/r/20230626212221.136640-1-paulo.r.zanoni@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>