[3.8.y.z extended stable] Patch "drm: Prevent overwriting from userspace underallocating core ioctl" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu Nov 7 22:32:39 UTC 2013

This is a note to let you know that I have just added a patch titled

    drm: Prevent overwriting from userspace underallocating core ioctl

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


This patch is scheduled to be released in version

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



>From 95e3ee2e369592d92a2d67da82b855907e4f9898 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris at chris-wilson.co.uk>
Date: Wed, 16 Oct 2013 11:22:44 +0100
Subject: drm: Prevent overwriting from userspace underallocating core ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit b062672e305ce071f21eb9e18b102c2a430e0999 upstream.

Apply the protections from

commit 1b2f1489633888d4a06028315dc19d65768a1c05
Author: Dave Airlie <airlied at redhat.com>
Date:   Sat Aug 14 20:20:34 2010 +1000

    drm: block userspace under allocating buffer and having drivers overwrite it (v2)

to the core ioctl structs as well, for we found one instance where there
is a 32-/64-bit size mismatch and were guilty of writing beyond the end
of the user's buffer.

Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Cc: Dave Airlie <airlied at redhat.com>
Reviewed-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
Cc: dri-devel at lists.freedesktop.org
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 drivers/gpu/drm/drm_drv.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index be174ca..4177780 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -411,9 +411,16 @@ long drm_ioctl(struct file *filp,
 			asize = drv_size;
 	else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
+		u32 drv_size;
 		ioctl = &drm_ioctls[nr];
-		cmd = ioctl->cmd;
+		drv_size = _IOC_SIZE(ioctl->cmd);
 		usize = asize = _IOC_SIZE(cmd);
+		if (drv_size > asize)
+			asize = drv_size;
+		cmd = ioctl->cmd;
 	} else
 		goto err_i1;


More information about the kernel-team mailing list