drm/xe: properly check bounds for xe_wait_user_fence_ioctl()

If !no_engines, then we use copy_from_user to copy to the 'eci' array, which has XE_HW_ENGINE_MAX_INSTANCE members. The amount of members copied is given by the user in args->num_engines, so add code to check that args->num_engines does not exceed XE_HW_ENGINE_MAX_INSTANCE. It's an unsigned value so there's no need to check for negative values. Fixes error messages such as: Buffer overflow detected (54 < 18446744073709551520)! Reviewed-by: José Roberto de Souza <[email protected]> Signed-off-by: Paulo Zanoni <[email protected]> Reviewed-by: Lucas De Marchi <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Lucas De Marchi <[email protected]> Signed-off-by: Rodrigo Vivi <[email protected]>
author: Paulo Zanoni <[email protected]> 2023-06-26 14:22:21 -0700
committer: Rodrigo Vivi <[email protected]> 2023-12-21 11:35:05 -0500
commit: 2e60442a4fef935c76cd70858775b92f565642cc (patch)
tree: 94d00f3bb6fb823e9e5311904378aae01b0b950d
parent: 7f38e1e1063e1b9b2c8368c741ff5e679091e9f8 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/gpu/drm/xe/xe_wait_user_fence.c b/drivers/gpu/drm/xe/xe_wait_user_fence.c
index 3122374341d6..098e2a4cff3f 100644
--- a/drivers/gpu/drm/xe/xe_wait_user_fence.c
+++ b/drivers/gpu/drm/xe/xe_wait_user_fence.c
@@ -121,6 +121,9 @@ int xe_wait_user_fence_ioctl(struct drm_device *dev, void *data,
 			 addr & 0x7))
 		return -EINVAL;
 
+	if (XE_IOCTL_ERR(xe, args->num_engines > XE_HW_ENGINE_MAX_INSTANCE))
+		return -EINVAL;
+
 	if (!no_engines) {
 		err = copy_from_user(eci, user_eci,
 				     sizeof(struct drm_xe_engine_class_instance) *
author	Paulo Zanoni <[email protected]>	2023-06-26 14:22:21 -0700
committer	Rodrigo Vivi <[email protected]>	2023-12-21 11:35:05 -0500
commit	2e60442a4fef935c76cd70858775b92f565642cc (patch)
tree	94d00f3bb6fb823e9e5311904378aae01b0b950d
parent	7f38e1e1063e1b9b2c8368c741ff5e679091e9f8 (diff)