| From b062672e305ce071f21eb9e18b102c2a430e0999 Mon Sep 17 00:00:00 2001 |
| From: Chris Wilson <chris@chris-wilson.co.uk> |
| Date: Wed, 16 Oct 2013 11:22:44 +0100 |
| Subject: drm: Prevent overwriting from userspace underallocating core ioctl structs |
| |
| From: Chris Wilson <chris@chris-wilson.co.uk> |
| |
| commit b062672e305ce071f21eb9e18b102c2a430e0999 upstream. |
| |
| Apply the protections from |
| |
| commit 1b2f1489633888d4a06028315dc19d65768a1c05 |
| Author: Dave Airlie <airlied@redhat.com> |
| Date: Sat Aug 14 20:20:34 2010 +1000 |
| |
| drm: block userspace under allocating buffer and having drivers overwrite it (v2) |
| |
| to the core ioctl structs as well, for we found one instance where there |
| is a 32-/64-bit size mismatch and were guilty of writing beyond the end |
| of the user's buffer. |
| |
| Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> |
| Cc: Dave Airlie <airlied@redhat.com> |
| Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> |
| Cc: dri-devel@lists.freedesktop.org |
| Signed-off-by: Dave Airlie <airlied@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/drm_drv.c | 9 ++++++++- |
| 1 file changed, 8 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/gpu/drm/drm_drv.c |
| +++ b/drivers/gpu/drm/drm_drv.c |
| @@ -420,9 +420,16 @@ long drm_ioctl(struct file *filp, |
| asize = drv_size; |
| } |
| else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { |
| + u32 drv_size; |
| + |
| ioctl = &drm_ioctls[nr]; |
| - cmd = ioctl->cmd; |
| + |
| + drv_size = _IOC_SIZE(ioctl->cmd); |
| usize = asize = _IOC_SIZE(cmd); |
| + if (drv_size > asize) |
| + asize = drv_size; |
| + |
| + cmd = ioctl->cmd; |
| } else |
| goto err_i1; |
| |