[Intel-gfx] [PATCH v2] drm/i915: use strscpy() to avoid buffer overrun
In capture_vma() Coverity complains of a possible buffer overrun. Even
though this is a static function where all call sites can be checked,
limiting the copy length could save some future grief.
CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name
by copying name without checking the length.
5. parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
1326strcpy(c->name, name);
Fix any possible overflows by using strscpy() which guarantees NULL termination.
Also correct 2 other strcpy() call sites with the same potential for Coverity
warnings or overruns.
v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer"
Use strscpy() instead of strncpy(). Its a much simpler change.
Cc: Jani Nikula
Cc: Joonas Lahtinen
Cc: Rodrigo Vivi
Cc: David Airlie
Cc: Daniel Vetter
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-de...@lists.freedesktop.org
Cc: linux-ker...@vger.kernel.org
Signed-off-by: Tim Gardner
---
drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c
b/drivers/gpu/drm/i915/i915_gpu_error.c
index 9cf6ac575de1..7f246f51959d 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt,
return NULL;
}
- strcpy(dst->name, name);
+ strscpy(dst->name, name, sizeof(dst->name));
dst->next = NULL;
dst->gtt_offset = vma->node.start;
@@ -1279,7 +1279,7 @@ static bool record_context(struct
i915_gem_context_coredump *e,
rcu_read_lock();
task = pid_task(ctx->pid, PIDTYPE_PID);
if (task) {
- strcpy(e->comm, task->comm);
+ strscpy(e->comm, task->comm, sizeof(e->comm));
e->pid = task->pid;
}
rcu_read_unlock();
@@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next,
return next;
}
- strcpy(c->name, name);
+ strscpy(c->name, name, sizeof(c->name));
c->vma = vma; /* reference held while active */
c->next = next;
--
2.33.0
Re: [Intel-gfx] [PATCH] drm/i915: zero fill vma name buffer
On 9/16/21 4:43 AM, Jani Nikula wrote:
On Thu, 16 Sep 2021, Tvrtko Ursulin wrote:
On 15/09/2021 20:23, Tim Gardner wrote:
In capture_vma() Coverity complains of a possible buffer overrun. Even
though this is a static function where all call sites can be checked,
limiting the copy length could save some future grief.
CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name
by copying name without checking the length.
5. parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
1326strcpy(c->name, name);
Fix any possible overflows by using strncpy(). Zero fill the name buffer to
guarantee ASCII string NULL termination.
Cc: Jani Nikula
Cc: Joonas Lahtinen
Cc: Rodrigo Vivi
Cc: David Airlie
Cc: Daniel Vetter
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-de...@lists.freedesktop.org
Cc: linux-ker...@vger.kernel.org
Signed-off-by: Tim Gardner
---
drivers/gpu/drm/i915/i915_gpu_error.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c
b/drivers/gpu/drm/i915/i915_gpu_error.c
index 9cf6ac575de1..154df174e2d7 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -1297,10 +1297,11 @@ static bool record_context(struct
i915_gem_context_coredump *e,
return simulated;
}
+#define VMA_NAME_LEN 16
struct intel_engine_capture_vma {
struct intel_engine_capture_vma *next;
struct i915_vma *vma;
- char name[16];
+ char name[VMA_NAME_LEN];
};
static struct intel_engine_capture_vma *
@@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next,
if (!vma)
return next;
- c = kmalloc(sizeof(*c), gfp);
+ c = kzalloc(sizeof(*c), gfp);
if (!c)
return next;
@@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next,
return next;
}
- strcpy(c->name, name);
+ strncpy(c->name, name, VMA_NAME_LEN-1);
GCC is supposed to catch any problems here as you say in the commit message.
But to fix I suggest a single line change to strlcpy(c->name, name,
sizeof(c->name)) which always null terminates as bonus.
strscpy() is preferred over both strncpy() and strlcpy(). :)
BR,
Jani.
Good call. v2 on the way.
rtg
Probably same in i915_vma_coredump_create() which with strncpy would
have a theoretical chance of attempting to copy over a
non-null-terminated string.
Regards,
Tvrtko
c->vma = vma; /* reference held while active */
c->next = next;
--
---
Tim Gardner
Canonical, Inc
[Intel-gfx] [PATCH] drm/i915: zero fill vma name buffer
In capture_vma() Coverity complains of a possible buffer overrun. Even
though this is a static function where all call sites can be checked,
limiting the copy length could save some future grief.
CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name
by copying name without checking the length.
5. parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
1326strcpy(c->name, name);
Fix any possible overflows by using strncpy(). Zero fill the name buffer to
guarantee ASCII string NULL termination.
Cc: Jani Nikula
Cc: Joonas Lahtinen
Cc: Rodrigo Vivi
Cc: David Airlie
Cc: Daniel Vetter
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-de...@lists.freedesktop.org
Cc: linux-ker...@vger.kernel.org
Signed-off-by: Tim Gardner
---
drivers/gpu/drm/i915/i915_gpu_error.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c
b/drivers/gpu/drm/i915/i915_gpu_error.c
index 9cf6ac575de1..154df174e2d7 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -1297,10 +1297,11 @@ static bool record_context(struct
i915_gem_context_coredump *e,
return simulated;
}
+#define VMA_NAME_LEN 16
struct intel_engine_capture_vma {
struct intel_engine_capture_vma *next;
struct i915_vma *vma;
- char name[16];
+ char name[VMA_NAME_LEN];
};
static struct intel_engine_capture_vma *
@@ -1314,7 +1315,7 @@ capture_vma(struct intel_engine_capture_vma *next,
if (!vma)
return next;
- c = kmalloc(sizeof(*c), gfp);
+ c = kzalloc(sizeof(*c), gfp);
if (!c)
return next;
@@ -1323,7 +1324,7 @@ capture_vma(struct intel_engine_capture_vma *next,
return next;
}
- strcpy(c->name, name);
+ strncpy(c->name, name, VMA_NAME_LEN-1);
c->vma = vma; /* reference held while active */
c->next = next;
--
2.33.0
[Intel-gfx] [PATCH] drm/i915/gem: Avoid NULL dereference in __i915_gem_object_lock()
Coverity warns of a possible NULL dereference:
Both dma_resv_lock_interruptible() and dma_resv_lock() can return -EDEADLK.
Protect
against a NULL dereference by checking for NULL before saving the object
pointer. This
is consistent with previous checks for ww==NULL.
Addresses-Coverity: ("Dereference after null check")
Cc: sta...@vger.kernel.org
Fixes: 80f0b679d6f0683f23cf98a511af3e44dd509472 ("drm/i915: Add an
implementation for i915_gem_ww_ctx locking, v2.")
Cc: kernel-janit...@vger.kernel.org
Cc: Maarten Lankhorst
Cc: Jani Nikula
Cc: Joonas Lahtinen
Cc: Rodrigo Vivi
Cc: David Airlie
Cc: Daniel Vetter
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-de...@lists.freedesktop.org
Cc: linux-ker...@vger.kernel.org
Cc: linux-me...@vger.kernel.org
Cc: linaro-mm-...@lists.linaro.org
Signed-off-by: Tim Gardner
---
drivers/gpu/drm/i915/gem/i915_gem_object.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h
b/drivers/gpu/drm/i915/gem/i915_gem_object.h
index 48112b9d76df..3391ca4f662a 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_object.h
+++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h
@@ -187,7 +187,7 @@ static inline int __i915_gem_object_lock(struct
drm_i915_gem_object *obj,
if (ret == -EALREADY)
ret = 0;
- if (ret == -EDEADLK) {
+ if (ret == -EDEADLK && ww) {
i915_gem_object_get(obj);
ww->contended = obj;
}
--
2.33.0
