1. Patchew
  2. linux
  3. View series

[PATCH][next] drm/gud: Use size_add() in call to struct_size()

Gustavo A. R. Silva posted 1 patch 2 years, 4 months ago 
drivers/gpu/drm/gud/gud_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH][next] drm/gud: Use size_add() in call to struct_size()
Posted by Gustavo A. R. Silva 2 years, 4 months ago 
If, for any reason, the open-coded arithmetic causes a wraparound, the
protection that `struct_size()` adds against potential integer overflows
is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.

Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/gpu/drm/gud/gud_pipe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
index d2f199ea3c11..a02f75be81f0 100644
--- a/drivers/gpu/drm/gud/gud_pipe.c
+++ b/drivers/gpu/drm/gud/gud_pipe.c
@@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe,
 		return -ENOENT;
 
 	len = struct_size(req, properties,
-			  GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM);
+			  size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM));
 	req = kzalloc(len, GFP_KERNEL);
 	if (!req)
 		return -ENOMEM;
-- 
2.34.1
Re: [PATCH][next] drm/gud: Use size_add() in call to struct_size()
Posted by Kees Cook 2 years, 4 months ago 
On Fri, 15 Sep 2023 12:43:20 -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound, the
> protection that `struct_size()` adds against potential integer overflows
> is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
> 
> 

Applied to for-next/hardening, thanks!

[1/1] drm/gud: Use size_add() in call to struct_size()
      https://git.kernel.org/kees/c/836ccb46073e

Take care,

-- 
Kees Cook
Re: [PATCH][next] drm/gud: Use size_add() in call to struct_size()
Posted by Kees Cook 2 years, 4 months ago 
On Fri, Sep 15, 2023 at 12:43:20PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound, the
> protection that `struct_size()` adds against potential integer overflows
> is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
> 
> Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/gpu/drm/gud/gud_pipe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
> index d2f199ea3c11..a02f75be81f0 100644
> --- a/drivers/gpu/drm/gud/gud_pipe.c
> +++ b/drivers/gpu/drm/gud/gud_pipe.c
> @@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe,
>  		return -ENOENT;
>  
>  	len = struct_size(req, properties,
> -			  GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM);
> +			  size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM));

There are both constant expressions, so there's not too much value in
wrapping them with size_add(), but for maintaining a common coding style
for dealing with allocation sizes, I can be convinced of the change. :)

Reviewed-by: Kees Cook <keescook@chromium.org>


>  	req = kzalloc(len, GFP_KERNEL);
>  	if (!req)
>  		return -ENOMEM;
> -- 
> 2.34.1
> 

-- 
Kees Cook
Re: [PATCH][next] drm/gud: Use size_add() in call to struct_size()
Posted by Gustavo A. R. Silva 2 years, 4 months ago 

On 9/15/23 12:52, Kees Cook wrote:
> On Fri, Sep 15, 2023 at 12:43:20PM -0600, Gustavo A. R. Silva wrote:
>> If, for any reason, the open-coded arithmetic causes a wraparound, the
>> protection that `struct_size()` adds against potential integer overflows
>> is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
>>
>> Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver")
>> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>> ---
>>   drivers/gpu/drm/gud/gud_pipe.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
>> index d2f199ea3c11..a02f75be81f0 100644
>> --- a/drivers/gpu/drm/gud/gud_pipe.c
>> +++ b/drivers/gpu/drm/gud/gud_pipe.c
>> @@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe,
>>   		return -ENOENT;
>>   
>>   	len = struct_size(req, properties,
>> -			  GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM);
>> +			  size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM));
> 
> There are both constant expressions, so there's not too much value in
> wrapping them with size_add(), but for maintaining a common coding style
> for dealing with allocation sizes, I can be convinced of the change. :)

Yep; I've found a mix of constant expressions and variables doing open-coded arithmetic
in `struct_size()`, so I'm sending them all.

> 
> Reviewed-by: Kees Cook <keescook@chromium.org>

Thanks!
--
Gustavo

> 
> 
>>   	req = kzalloc(len, GFP_KERNEL);
>>   	if (!req)
>>   		return -ENOMEM;
>> -- 
>> 2.34.1
>>
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.