[lvc-project] [PATCH] drm/gem: fix overflow in calculating DMA GEM size

Wed Mar 19 11:46:43 MSK 2025

On Fri, 28. Feb 12:18, Ваторопин Андрей wrote:
> From: Andrey Vatoropin <a.vatoropin at crpt.ru>
> 
> The IOCTL handler drm_mode_create_dumb receives different parameters from
> the user, specifically "height", "width" and others. Sanity checks are 
> performed on these parameters. However, these parameters are sent to the 
> ->dumb_create() callback, and during the processing of the "pitch" 
> parameter, its value may change. The extent of this change depends on the
> driver that exists at the lower level. The thing is that the value of 
> "height" is controlled by user as an ioctl parameter and it is not
> directly associated with the "pitch" value so the initial sanity checks
> can be insufficient.
> 
> For example, if at the moment of calling the 
> drm_gem_dma_dumb_create_internal() via ->dumb_create() callback the values
> are as follows: height equals 2 ^ 27, pitch equals 2^6 then the following
> statement: 
> 	"args->pitch * args->height"
> will evaluate to 
> 	"2 ^ 6 * 2 ^ 27"
> and an overflow occurs.
> 
> Since a value of type 'u64' is used to store the eventual size, it is
> necessary to perform the 64-bit arithmetic to avoid overflow during the
> multiplication.
> 
> The same thing was done in commit 0f8f8a643000 
> ("drm/i915/gem: Detect overflow in calculating dumb buffer size")
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()")
> Signed-off-by: Andrey Vatoropin <a.vatoropin at crpt.ru> 
> ---

Прошу выслать в только lvc-patches адаптированную версию патча под
5.10-ветку, указав в теме письма [PATCH 5.10].

Текущий патч чисто применяется только к 6.1.

>  drivers/gpu/drm/drm_gem_dma_helper.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c
> index 870b90b78bc4..a8862f6f702a 100644
> --- a/drivers/gpu/drm/drm_gem_dma_helper.c
> +++ b/drivers/gpu/drm/drm_gem_dma_helper.c
> @@ -272,8 +272,8 @@ int drm_gem_dma_dumb_create_internal(struct drm_file *file_priv,
>  	if (args->pitch < min_pitch)
>  		args->pitch = min_pitch;
>  
> -	if (args->size < args->pitch * args->height)
> -		args->size = args->pitch * args->height;
> +	if (args->size < mul_u32_u32(args->pitch, args->height))
> +		args->size = mul_u32_u32(args->pitch, args->height);
>  
>  	dma_obj = drm_gem_dma_create_with_handle(file_priv, drm, args->size,
>  						 &args->handle);
> -- 
> 2.43.0