Guenter Roeck
2024-May-24 13:48 UTC
[PATCH v3] drm/nouveau/nvif: Avoid build error due to potential integer overflows
Trying to build parisc:allmodconfig with gcc 12.x or later results in the following build error. drivers/gpu/drm/nouveau/nvif/object.c: In function 'nvif_object_mthd': drivers/gpu/drm/nouveau/nvif/object.c:161:9: error: 'memcpy' accessing 4294967264 or more bytes at offsets 0 and 32 overlaps 6442450881 bytes at offset -2147483617 [-Werror=restrict] 161 | memcpy(data, args->mthd.data, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/nouveau/nvif/object.c: In function 'nvif_object_ctor': drivers/gpu/drm/nouveau/nvif/object.c:298:17: error: 'memcpy' accessing 4294967240 or more bytes at offsets 0 and 56 overlaps 6442450833 bytes at offset -2147483593 [-Werror=restrict] 298 | memcpy(data, args->new.data, size); gcc assumes that 'sizeof(*args) + size' can overflow, which would result in the problem. The problem is not new, only it is now no longer a warning but an error since W=1 has been enabled for the drm subsystem and since Werror is enabled for test builds. Rearrange arithmetic and use check_add_overflow() for validating the allocation size to avoid the overflow. While at it, split assignments out of if conditions. Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the subsystem") Cc: Javier Martinez Canillas <javierm at redhat.com> Cc: Jani Nikula <jani.nikula at intel.com> Cc: Thomas Zimmermann <tzimmermann at suse.de> Cc: Danilo Krummrich <dakr at redhat.com> Cc: Maxime Ripard <mripard at kernel.org> Cc: Kees Cook <keescook at chromium.org> Cc: Christophe JAILLET <christophe.jaillet at wanadoo.fr> Cc: Joe Perches <joe at perches.com> Reviewed-by: Kees Cook <keescook at chromium.org> Signed-off-by: Guenter Roeck <linux at roeck-us.net> --- v3: Split assignments from if conditions. v2: Use check_add_overflow() to calculate the allocation size and to check for overflows. drivers/gpu/drm/nouveau/nvif/object.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvif/object.c b/drivers/gpu/drm/nouveau/nvif/object.c index 4d1aaee8fe15..1d19c87eaec1 100644 --- a/drivers/gpu/drm/nouveau/nvif/object.c +++ b/drivers/gpu/drm/nouveau/nvif/object.c @@ -142,11 +142,16 @@ nvif_object_mthd(struct nvif_object *object, u32 mthd, void *data, u32 size) struct nvif_ioctl_v0 ioctl; struct nvif_ioctl_mthd_v0 mthd; } *args; + u32 args_size; u8 stack[128]; int ret; - if (sizeof(*args) + size > sizeof(stack)) { - if (!(args = kmalloc(sizeof(*args) + size, GFP_KERNEL))) + if (check_add_overflow(sizeof(*args), size, &args_size)) + return -ENOMEM; + + if (args_size > sizeof(stack)) { + args = kmalloc(args_size, GFP_KERNEL); + if (!args) return -ENOMEM; } else { args = (void *)stack; @@ -157,7 +162,7 @@ nvif_object_mthd(struct nvif_object *object, u32 mthd, void *data, u32 size) args->mthd.method = mthd; memcpy(args->mthd.data, data, size); - ret = nvif_object_ioctl(object, args, sizeof(*args) + size, NULL); + ret = nvif_object_ioctl(object, args, args_size, NULL); memcpy(data, args->mthd.data, size); if (args != (void *)stack) kfree(args); @@ -276,7 +281,15 @@ nvif_object_ctor(struct nvif_object *parent, const char *name, u32 handle, object->map.size = 0; if (parent) { - if (!(args = kmalloc(sizeof(*args) + size, GFP_KERNEL))) { + u32 args_size; + + if (check_add_overflow(sizeof(*args), size, &args_size)) { + nvif_object_dtor(object); + return -ENOMEM; + } + + args = kmalloc(args_size, GFP_KERNEL); + if (!args) { nvif_object_dtor(object); return -ENOMEM; } @@ -293,8 +306,7 @@ nvif_object_ctor(struct nvif_object *parent, const char *name, u32 handle, args->new.oclass = oclass; memcpy(args->new.data, data, size); - ret = nvif_object_ioctl(parent, args, sizeof(*args) + size, - &object->priv); + ret = nvif_object_ioctl(parent, args, args_size, &object->priv); memcpy(data, args->new.data, size); kfree(args); if (ret == 0) -- 2.39.2
Danilo Krummrich
2024-May-27 11:23 UTC
[PATCH v3] drm/nouveau/nvif: Avoid build error due to potential integer overflows
On 5/24/24 15:48, Guenter Roeck wrote:> Trying to build parisc:allmodconfig with gcc 12.x or later results > in the following build error. > > drivers/gpu/drm/nouveau/nvif/object.c: In function 'nvif_object_mthd': > drivers/gpu/drm/nouveau/nvif/object.c:161:9: error: > 'memcpy' accessing 4294967264 or more bytes at offsets 0 and 32 overlaps 6442450881 bytes at offset -2147483617 [-Werror=restrict] > 161 | memcpy(data, args->mthd.data, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > drivers/gpu/drm/nouveau/nvif/object.c: In function 'nvif_object_ctor': > drivers/gpu/drm/nouveau/nvif/object.c:298:17: error: > 'memcpy' accessing 4294967240 or more bytes at offsets 0 and 56 overlaps 6442450833 bytes at offset -2147483593 [-Werror=restrict] > 298 | memcpy(data, args->new.data, size); > > gcc assumes that 'sizeof(*args) + size' can overflow, which would result > in the problem. > > The problem is not new, only it is now no longer a warning but an error > since W=1 has been enabled for the drm subsystem and since Werror is > enabled for test builds. > > Rearrange arithmetic and use check_add_overflow() for validating the > allocation size to avoid the overflow. While at it, split assignments > out of if conditions. > > Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the subsystem") > Cc: Javier Martinez Canillas <javierm at redhat.com> > Cc: Jani Nikula <jani.nikula at intel.com> > Cc: Thomas Zimmermann <tzimmermann at suse.de> > Cc: Danilo Krummrich <dakr at redhat.com> > Cc: Maxime Ripard <mripard at kernel.org> > Cc: Kees Cook <keescook at chromium.org> > Cc: Christophe JAILLET <christophe.jaillet at wanadoo.fr> > Cc: Joe Perches <joe at perches.com> > Reviewed-by: Kees Cook <keescook at chromium.org> > Signed-off-by: Guenter Roeck <linux at roeck-us.net>Applied to drm-misc-fixes, thanks!> --- > v3: Split assignments from if conditions. > v2: Use check_add_overflow() to calculate the allocation size and to check > for overflows. > > drivers/gpu/drm/nouveau/nvif/object.c | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nvif/object.c b/drivers/gpu/drm/nouveau/nvif/object.c > index 4d1aaee8fe15..1d19c87eaec1 100644 > --- a/drivers/gpu/drm/nouveau/nvif/object.c > +++ b/drivers/gpu/drm/nouveau/nvif/object.c > @@ -142,11 +142,16 @@ nvif_object_mthd(struct nvif_object *object, u32 mthd, void *data, u32 size) > struct nvif_ioctl_v0 ioctl; > struct nvif_ioctl_mthd_v0 mthd; > } *args; > + u32 args_size; > u8 stack[128]; > int ret; > > - if (sizeof(*args) + size > sizeof(stack)) { > - if (!(args = kmalloc(sizeof(*args) + size, GFP_KERNEL))) > + if (check_add_overflow(sizeof(*args), size, &args_size)) > + return -ENOMEM; > + > + if (args_size > sizeof(stack)) { > + args = kmalloc(args_size, GFP_KERNEL); > + if (!args) > return -ENOMEM; > } else { > args = (void *)stack; > @@ -157,7 +162,7 @@ nvif_object_mthd(struct nvif_object *object, u32 mthd, void *data, u32 size) > args->mthd.method = mthd; > > memcpy(args->mthd.data, data, size); > - ret = nvif_object_ioctl(object, args, sizeof(*args) + size, NULL); > + ret = nvif_object_ioctl(object, args, args_size, NULL); > memcpy(data, args->mthd.data, size); > if (args != (void *)stack) > kfree(args); > @@ -276,7 +281,15 @@ nvif_object_ctor(struct nvif_object *parent, const char *name, u32 handle, > object->map.size = 0; > > if (parent) { > - if (!(args = kmalloc(sizeof(*args) + size, GFP_KERNEL))) { > + u32 args_size; > + > + if (check_add_overflow(sizeof(*args), size, &args_size)) { > + nvif_object_dtor(object); > + return -ENOMEM; > + } > + > + args = kmalloc(args_size, GFP_KERNEL); > + if (!args) { > nvif_object_dtor(object); > return -ENOMEM; > } > @@ -293,8 +306,7 @@ nvif_object_ctor(struct nvif_object *parent, const char *name, u32 handle, > args->new.oclass = oclass; > > memcpy(args->new.data, data, size); > - ret = nvif_object_ioctl(parent, args, sizeof(*args) + size, > - &object->priv); > + ret = nvif_object_ioctl(parent, args, args_size, &object->priv); > memcpy(data, args->new.data, size); > kfree(args); > if (ret == 0)
Possibly Parallel Threads
- [PATCH v2] drm/nouveau/nvif: Avoid build error due to potential integer overflows
- [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows
- [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows
- [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows
- [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows