[Dri-devel] copy_from_user question

[Hollis Blanchard]

This is what the Stanford checker turned up recently when analyzing the  
copy_to/from_user calls in the Linux kernel:

---------------------------------------------------------
[BUG] function radeon_cp_dispatch_indices calls
DRM_COPY_FROM_USER_UNCHECKED on parameter 'dev_priv->sarea_priv->boxes',
implies it is a user space pointer. dev_piv->sarea_priv has type
'drm_radeon_sarea_t', where field 'drm_radeon_sarea_t.boxes' is declared
as an array. so dev_priv->sarea_priv->boxes is equivalent to
dev_priv->sarea_priv + offset of field 'boxes'. since  
dev_priv->sarea_priv
+ offset_of_'boxes' is tainted, dev_priv->sarea_priv is also a  
user-space
pointer. this pointer is deref'd several times.

/home/junfeng/linux-tainted/drivers/char/drm/ 
radeon_state.c:1554:radeon_cp_indices:
ERROR:TAINTED:1554:1554: dereferencing tainted ptr  
'dev_priv->sarea_priv'
[Callstack: ]

        prim.prim = elts.prim;
        prim.offset = 0;        /* offset from start of dma buffers */
        prim.numverts = RADEON_MAX_VB_VERTS; /* duh */
        prim.vc_format = dev_priv->sarea_priv->vc_format;
Error --->
        radeon_cp_dispatch_indices( dev, buf, &prim,
                                   dev_priv->sarea_priv->boxes,
                                   dev_priv->sarea_priv->nbox );
        if (elts.discard) {
---------------------------------------------------------
[BUG]
/home/junfeng/linux-tainted/drivers/char/drm/ 
radeon_state.c:1773:radeon_cp_vertex2:
ERROR:TAINTED:1773:1773: dereferencing tainted ptr 'sarea_priv'
[Callstack: ]

            if ( prim.prim & RADEON_PRIM_WALK_IND ) {
                        tclprim.offset = prim.numverts * 64;
                        tclprim.numverts = RADEON_MAX_VB_VERTS; /* duh */
Error --->
                        radeon_cp_dispatch_indices( dev, buf, &tclprim,
                                                    sarea_priv->boxes,
                                                    sarea_priv->nbox);
                } else {
---------------------------------------------------------
[BUG]
/home/junfeng/linux-tainted/drivers/char/drm/ 
radeon_state.c:1454:radeon_cp_vertex:
ERROR:TAINTED:1454:1454: dereferencing tainted ptr  
'dev_priv->sarea_priv'
[Callstack: ]

                prim.finish = vertex.count; /* unused */
                prim.prim = vertex.prim;
                prim.numverts = vertex.count;
                prim.vc_format = dev_priv->sarea_priv->vc_format;
Error --->
                radeon_cp_dispatch_vertex( dev, buf, &prim,
                                           dev_priv->sarea_priv->boxes,
                                           dev_priv->sarea_priv->nbox );
        }
---------------------------------------------------------
This is all because the DRM_COPY_FROM_USER_UNCHECKED is being called in  
radeon_cp_dispatch_indices. If the copy_from_user is needed, the whole  
sarea_priv structure must be in user space, in which case all the other  
direct sarea references are in error. The other possibility is that  
copy_from_user isn't needed here at all. Can anyone comment?

--
Hollis Blanchard
IBM Linux Technology Center


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Dri-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dri-devel