Date: Thu, 20 Sep 2018 13:17:01 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231513] off-by-one overflow in drm_ioctl (sys/dev/drm/drm_drv.c) Message-ID: <bug-231513-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231513 Bug ID: 231513 Summary: off-by-one overflow in drm_ioctl (sys/dev/drm/drm_drv.c) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 197277 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197277&action= =3Dedit patch_for_drm_out-of-bouns_access There is a off-by-one overflow in drm_ioctl (sys/dev/drm/drm_drv.c). 701 int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags, 702 DRM_STRUCTPROC *p) 703 { 704 struct drm_device *dev =3D drm_get_device_from_kdev(kdev); 705 int retcode =3D 0; 706 drm_ioctl_desc_t *ioctl; 707 int (*func)(struct drm_device *dev, void *data, struct drm_file *file_priv); 708 int nr =3D DRM_IOCTL_NR(cmd); 709 int is_driver_ioctl =3D 0; 710 struct drm_file *file_priv; 711=20 ...=20 743 ioctl =3D &drm_ioctls[nr]; 744 /* It's not a core DRM ioctl, try driver-specific. */ 745 if (ioctl->func =3D=3D NULL && nr >=3D DRM_COMMAND_BASE) { 746 /* The array entries begin at DRM_COMMAND_BASE ioctl nr= */ 747 nr -=3D DRM_COMMAND_BASE; 748 if (nr > dev->driver->max_ioctl) { 749 DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n", 750 nr, dev->driver->max_ioctl); 751 return EINVAL; 752 } 753 ioctl =3D &dev->driver->ioctls[nr]; 754 is_driver_ioctl =3D 1; 755 } 756 func =3D ioctl->func; 757=20 758 if (func =3D=3D NULL) { 759 DRM_DEBUG("no function\n"); 760 return EINVAL; 761 } 762=20 763 if (((ioctl->flags & DRM_ROOT_ONLY) && !DRM_SUSER(p)) || 764 ((ioctl->flags & DRM_AUTH) && !file_priv->authenticated) || 765 ((ioctl->flags & DRM_MASTER) && !file_priv->master)) 766 return EACCES; 767=20 768 if (is_driver_ioctl) { 769 DRM_LOCK(); 770 /* shared code returns -errno */ 771 retcode =3D -func(dev, data, file_priv); 772 DRM_UNLOCK(); 773 } else { 774 retcode =3D func(dev, data, file_priv); 775 } 776=20 777 if (retcode !=3D 0) 778 DRM_DEBUG(" returning %d\n", retcode); 779=20 780 return retcode; 781 } The correct logic for line 748 is nr >=3D dev->driver->max_ioctl. Otherwise, there would be out-of-bounds access in line 753. Then, ioctl is used in line 756. The attachment is the proposal patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231513-227>