[Intel-gfx] [PATCH v2] drm/i915: use strscpy() to avoid buffer overrun
In capture_vma() Coverity complains of a possible buffer overrun. Even though this is a static function where all call sites can be checked, limiting the copy length could save some future grief. CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name by copying name without checking the length. 5. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 1326strcpy(c->name, name); Fix any possible overflows by using strscpy() which guarantees NULL termination. Also correct 2 other strcpy() call sites with the same potential for Coverity warnings or overruns. v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer" Use strscpy() instead of strncpy(). Its a much simpler change. Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: David Airlie Cc: Daniel Vetter Cc: intel-gfx@lists.freedesktop.org Cc: dri-de...@lists.freedesktop.org Cc: linux-ker...@vger.kernel.org Signed-off-by: Tim Gardner --- drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 9cf6ac575de1..7f246f51959d 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt, return NULL; } - strcpy(dst->name, name); + strscpy(dst->name, name, sizeof(dst->name)); dst->next = NULL; dst->gtt_offset = vma->node.start; @@ -1279,7 +1279,7 @@ static bool record_context(struct i915_gem_context_coredump *e, rcu_read_lock(); task = pid_task(ctx->pid, PIDTYPE_PID); if (task) { - strcpy(e->comm, task->comm); + strscpy(e->comm, task->comm, sizeof(e->comm)); e->pid = task->pid; } rcu_read_unlock(); @@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next, return next; } - strcpy(c->name, name); + strscpy(c->name, name, sizeof(c->name)); c->vma = vma; /* reference held while active */ c->next = next; -- 2.33.0
Re: [Intel-gfx] [PATCH] drm/i915: zero fill vma name buffer
On 9/16/21 4:43 AM, Jani Nikula wrote: On Thu, 16 Sep 2021, Tvrtko Ursulin wrote: On 15/09/2021 20:23, Tim Gardner wrote: In capture_vma() Coverity complains of a possible buffer overrun. Even though this is a static function where all call sites can be checked, limiting the copy length could save some future grief. CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name by copying name without checking the length. 5. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 1326strcpy(c->name, name); Fix any possible overflows by using strncpy(). Zero fill the name buffer to guarantee ASCII string NULL termination. Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: David Airlie Cc: Daniel Vetter Cc: intel-gfx@lists.freedesktop.org Cc: dri-de...@lists.freedesktop.org Cc: linux-ker...@vger.kernel.org Signed-off-by: Tim Gardner --- drivers/gpu/drm/i915/i915_gpu_error.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 9cf6ac575de1..154df174e2d7 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, return simulated; } +#define VMA_NAME_LEN 16 struct intel_engine_capture_vma { struct intel_engine_capture_vma *next; struct i915_vma *vma; - char name[16]; + char name[VMA_NAME_LEN]; }; static struct intel_engine_capture_vma * @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, if (!vma) return next; - c = kmalloc(sizeof(*c), gfp); + c = kzalloc(sizeof(*c), gfp); if (!c) return next; @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, return next; } - strcpy(c->name, name); + strncpy(c->name, name, VMA_NAME_LEN-1); GCC is supposed to catch any problems here as you say in the commit message. But to fix I suggest a single line change to strlcpy(c->name, name, sizeof(c->name)) which always null terminates as bonus. strscpy() is preferred over both strncpy() and strlcpy(). :) BR, Jani. Good call. v2 on the way. rtg Probably same in i915_vma_coredump_create() which with strncpy would have a theoretical chance of attempting to copy over a non-null-terminated string. Regards, Tvrtko c->vma = vma; /* reference held while active */ c->next = next; -- --- Tim Gardner Canonical, Inc
[Intel-gfx] [PATCH] drm/i915: zero fill vma name buffer
In capture_vma() Coverity complains of a possible buffer overrun. Even though this is a static function where all call sites can be checked, limiting the copy length could save some future grief. CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name by copying name without checking the length. 5. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 1326strcpy(c->name, name); Fix any possible overflows by using strncpy(). Zero fill the name buffer to guarantee ASCII string NULL termination. Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: David Airlie Cc: Daniel Vetter Cc: intel-gfx@lists.freedesktop.org Cc: dri-de...@lists.freedesktop.org Cc: linux-ker...@vger.kernel.org Signed-off-by: Tim Gardner --- drivers/gpu/drm/i915/i915_gpu_error.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 9cf6ac575de1..154df174e2d7 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -1297,10 +1297,11 @@ static bool record_context(struct i915_gem_context_coredump *e, return simulated; } +#define VMA_NAME_LEN 16 struct intel_engine_capture_vma { struct intel_engine_capture_vma *next; struct i915_vma *vma; - char name[16]; + char name[VMA_NAME_LEN]; }; static struct intel_engine_capture_vma * @@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next, if (!vma) return next; - c = kmalloc(sizeof(*c), gfp); + c = kzalloc(sizeof(*c), gfp); if (!c) return next; @@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next, return next; } - strcpy(c->name, name); + strncpy(c->name, name, VMA_NAME_LEN-1); c->vma = vma; /* reference held while active */ c->next = next; -- 2.33.0
[Intel-gfx] [PATCH] drm/i915/gem: Avoid NULL dereference in __i915_gem_object_lock()
Coverity warns of a possible NULL dereference: Both dma_resv_lock_interruptible() and dma_resv_lock() can return -EDEADLK. Protect against a NULL dereference by checking for NULL before saving the object pointer. This is consistent with previous checks for ww==NULL. Addresses-Coverity: ("Dereference after null check") Cc: sta...@vger.kernel.org Fixes: 80f0b679d6f0683f23cf98a511af3e44dd509472 ("drm/i915: Add an implementation for i915_gem_ww_ctx locking, v2.") Cc: kernel-janit...@vger.kernel.org Cc: Maarten Lankhorst Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: David Airlie Cc: Daniel Vetter Cc: intel-gfx@lists.freedesktop.org Cc: dri-de...@lists.freedesktop.org Cc: linux-ker...@vger.kernel.org Cc: linux-me...@vger.kernel.org Cc: linaro-mm-...@lists.linaro.org Signed-off-by: Tim Gardner --- drivers/gpu/drm/i915/gem/i915_gem_object.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h index 48112b9d76df..3391ca4f662a 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h @@ -187,7 +187,7 @@ static inline int __i915_gem_object_lock(struct drm_i915_gem_object *obj, if (ret == -EALREADY) ret = 0; - if (ret == -EDEADLK) { + if (ret == -EDEADLK && ww) { i915_gem_object_get(obj); ww->contended = obj; } -- 2.33.0