Message ID | 20230622131349.144160-1-benjamin.gaignard@collabora.com |
---|---|
Headers | show |
Series | Add DELETE_BUF ioctl | expand |
On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: > diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c > index f1ff7af34a9f..86e1e926fa45 100644 > --- a/drivers/media/common/videobuf2/videobuf2-core.c > +++ b/drivers/media/common/videobuf2/videobuf2-core.c > @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, > struct vb2_buffer *vb; > int ret; > > - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ > + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ > num_buffers = min_t(unsigned int, num_buffers, > - VB2_MAX_FRAME - q->num_buffers); > + UINT_MAX - q->num_buffers); > > for (buffer = 0; buffer < num_buffers; ++buffer) { > /* Allocate vb2 buffer structures */ Ah... Here's one of the integer overflow bugs I was talking about. The __vb2_queue_alloc() function returns an int so if num_buffers goes over INT_MAX we are hosed. regards, dan carpenter
Le 22/06/2023 à 16:11, Dan Carpenter a écrit : > On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >> index f1ff7af34a9f..86e1e926fa45 100644 >> --- a/drivers/media/common/videobuf2/videobuf2-core.c >> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >> struct vb2_buffer *vb; >> int ret; >> >> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >> num_buffers = min_t(unsigned int, num_buffers, >> - VB2_MAX_FRAME - q->num_buffers); >> + UINT_MAX - q->num_buffers); >> >> for (buffer = 0; buffer < num_buffers; ++buffer) { >> /* Allocate vb2 buffer structures */ > Ah... Here's one of the integer overflow bugs I was talking about. The > __vb2_queue_alloc() function returns an int so if num_buffers goes over > INT_MAX we are hosed. I will limit it to: #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ as you have suggest it. That will be in version 4. Thanks, Benjamin > > regards, > dan carpenter >
On 22/06/2023 16:13, Benjamin Gaignard wrote: > > Le 22/06/2023 à 16:11, Dan Carpenter a écrit : >> On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >>> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >>> index f1ff7af34a9f..86e1e926fa45 100644 >>> --- a/drivers/media/common/videobuf2/videobuf2-core.c >>> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >>> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >>> struct vb2_buffer *vb; >>> int ret; >>> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >>> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >>> num_buffers = min_t(unsigned int, num_buffers, >>> - VB2_MAX_FRAME - q->num_buffers); >>> + UINT_MAX - q->num_buffers); >>> for (buffer = 0; buffer < num_buffers; ++buffer) { >>> /* Allocate vb2 buffer structures */ >> Ah... Here's one of the integer overflow bugs I was talking about. The >> __vb2_queue_alloc() function returns an int so if num_buffers goes over >> INT_MAX we are hosed. > > I will limit it to: > #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ > as you have suggest it. IMHO INT_MAX is way overkill. How about (1U << 20)? I would like some sort of sanity check here. 1048576 buffers of 640x480 and 4 bytes per pixel is 1.2 TB. Since a TB of memory is doable these days, I think this is a reasonable value for MAX_BUFFERS without allowing just anything. An alternative is to make this a kernel config. Regards, Hans > > That will be in version 4. > > Thanks, > Benjamin > >> >> regards, >> dan carpenter >>
Le 23/06/2023 à 09:02, Hans Verkuil a écrit : > On 22/06/2023 16:13, Benjamin Gaignard wrote: >> Le 22/06/2023 à 16:11, Dan Carpenter a écrit : >>> On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >>>> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >>>> index f1ff7af34a9f..86e1e926fa45 100644 >>>> --- a/drivers/media/common/videobuf2/videobuf2-core.c >>>> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >>>> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >>>> struct vb2_buffer *vb; >>>> int ret; >>>> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >>>> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >>>> num_buffers = min_t(unsigned int, num_buffers, >>>> - VB2_MAX_FRAME - q->num_buffers); >>>> + UINT_MAX - q->num_buffers); >>>> for (buffer = 0; buffer < num_buffers; ++buffer) { >>>> /* Allocate vb2 buffer structures */ >>> Ah... Here's one of the integer overflow bugs I was talking about. The >>> __vb2_queue_alloc() function returns an int so if num_buffers goes over >>> INT_MAX we are hosed. >> I will limit it to: >> #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ >> as you have suggest it. > IMHO INT_MAX is way overkill. How about (1U << 20)? I would like some sort of > sanity check here. 1048576 buffers of 640x480 and 4 bytes per pixel is 1.2 TB. I will go for (1U << 20) in next version. Regards, Benjamin > > Since a TB of memory is doable these days, I think this is a reasonable > value for MAX_BUFFERS without allowing just anything. > > An alternative is to make this a kernel config. > > Regards, > > Hans > >> That will be in version 4. >> >> Thanks, >> Benjamin >> >>> regards, >>> dan carpenter >>>