From 7f38e1e1063e1b9b2c8368c741ff5e679091e9f8 Mon Sep 17 00:00:00 2001 From: Paulo Zanoni Date: Mon, 26 Jun 2023 14:22:20 -0700 Subject: [PATCH] drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit There's this shared machine running xe.ko and I often log in to see my tmux corrupted by messages such as: usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446660151965198754)! I also sometimes see: kernel BUG at mm/usercopy.c:102! Someone is running a program that's definitely submitting random numbers to this ioctl. If you pass width=65535 and num_placements=32769 then you get a negative 'len', which avoids the EINVAL check, leading to the bug. Switch 'len' to u32. It is the result of the multiplication of two u16 numbers, so it won't be able to overflow back into smaller numbers as an u32. v2: Make len u32 instead of checking for <=0 (José). Signed-off-by: Paulo Zanoni Reviewed-by: José Roberto de Souza Reviewed-by: Matthew Brost Reviewed-by: Lucas De Marchi Link: https://lore.kernel.org/r/20230626212221.136640-1-paulo.r.zanoni@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Rodrigo Vivi --- drivers/gpu/drm/xe/xe_engine.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_engine.c b/drivers/gpu/drm/xe/xe_engine.c index 097a1ea06002f..f1b8b22e0216d 100644 --- a/drivers/gpu/drm/xe/xe_engine.c +++ b/drivers/gpu/drm/xe/xe_engine.c @@ -522,7 +522,7 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data, struct xe_engine *e = NULL; u32 logical_mask; u32 id; - int len; + u32 len; int err; if (XE_IOCTL_ERR(xe, args->flags) || -- 2.30.2