| From f75ae5f735c5e7f7411a915942795bdbded5f3c2 Mon Sep 17 00:00:00 2001 |
| From: Daniel Vetter <daniel.vetter@ffwll.ch> |
| Date: Wed, 4 Dec 2019 16:52:37 -0800 |
| Subject: [PATCH] drm: limit to INT_MAX in create_blob ioctl |
| |
| commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c upstream. |
| |
| The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb |
| ("uaccess: disallow > INT_MAX copy sizes") |
| |
| Code itself should have been fine as-is. |
| |
| Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch |
| Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> |
| Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com |
| Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") |
| Cc: Kees Cook <keescook@chromium.org> |
| Cc: Alexander Viro <viro@zeniv.linux.org.uk> |
| Cc: Stephen Rothwell <sfr@canb.auug.org.au> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c |
| index f8ec8f9c3e7a..73db35dc430f 100644 |
| --- a/drivers/gpu/drm/drm_property.c |
| +++ b/drivers/gpu/drm/drm_property.c |
| @@ -556,7 +556,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, |
| struct drm_property_blob *blob; |
| int ret; |
| |
| - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) |
| + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) |
| return ERR_PTR(-EINVAL); |
| |
| blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); |
| -- |
| 2.7.4 |
| |