[PATCH] drm: Restrict ioctl size to kernel struct size

Ville Syrjälä Tue, 22 Oct 2013 13:40:04 +0300

On Tue, Oct 22, 2013 at 10:38:03AM +0100, Chris Wilson wrote:
> Prevent the user from passing in an ioctl command with up to 16,383
> bytes specified for the struct to be allocated and copied, and
> instead only allocate enough space to satisfy the kernel.
> 
> Suggested-by: Pavel Roskin <proski at gnu.org>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Pavel Roskin <proski at gnu.org>
> Cc: dri-devel at lists.freedesktop.org


Reviewed-by: Ville Syrj?l? <ville.syrjala at linux.intel.com>

> ---
>  drivers/gpu/drm/drm_drv.c | 30 +++++++++++++-----------------
>  1 file changed, 13 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index 05ad9ba0a67e..8c5fbc9d41ad 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -354,6 +354,16 @@ static int drm_version(struct drm_device *dev, void 
> *data,
>       return err;
>  }
>  
> +static unsigned ioctl_size(unsigned kcmd, unsigned ucmd, unsigned *ksize, 
> unsigned *usize)
> +{
> +     *ksize = _IOC_SIZE(kcmd);
> +     *usize = _IOC_SIZE(ucmd);
> +     if (*usize > *ksize)
> +             *usize = *ksize;
> +
> +     return kcmd;
> +}
> +
>  /**
>   * Called whenever a process performs an ioctl on /dev/drm.
>   *
> @@ -393,25 +403,11 @@ long drm_ioctl(struct file *filp,
>               goto err_i1;
>       if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
>           (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) {
> -             u32 drv_size;
>               ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
> -             drv_size = _IOC_SIZE(ioctl->cmd_drv);
> -             usize = asize = _IOC_SIZE(cmd);
> -             if (drv_size > asize)
> -                     asize = drv_size;
> -             cmd = ioctl->cmd_drv;
> -     }
> -     else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
> -             u32 drv_size;
> -
> +             cmd = ioctl_size(ioctl->cmd_drv, cmd, &asize, &usize);
> +     } else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
>               ioctl = &drm_ioctls[nr];
> -
> -             drv_size = _IOC_SIZE(ioctl->cmd);
> -             usize = asize = _IOC_SIZE(cmd);
> -             if (drv_size > asize)
> -                     asize = drv_size;
> -
> -             cmd = ioctl->cmd;
> +             cmd = ioctl_size(ioctl->cmd, cmd, &asize, &usize);
>       } else
>               goto err_i1;
>  
> -- 
> 1.8.4.rc3
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Ville Syrj?l?
Intel OTC

[PATCH] drm: Restrict ioctl size to kernel struct size

Reply via email to