83 lines
2.9 KiB
Diff
83 lines
2.9 KiB
Diff
From: Eric Anholt <eric@anholt.net>
|
|
To: dri-devel@lists.freedesktop.org
|
|
Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
|
|
allocation layout.
|
|
Date: Wed, 18 Jan 2017 07:20:49 +1100
|
|
|
|
We copy the unvalidated ioctl arguments from the user into kernel
|
|
temporary memory to run the validation from, to avoid a race where the
|
|
user updates the unvalidate contents in between validating them and
|
|
copying them into the validated BO.
|
|
|
|
However, in setting up the layout of the kernel side, we failed to
|
|
check one of the additions (the roundup() for shader_rec_offset)
|
|
against integer overflow, allowing a nearly MAX_UINT value of
|
|
bin_cl_size to cause us to under-allocate the temporary space that we
|
|
then copy_from_user into.
|
|
|
|
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
|
Signed-off-by: Eric Anholt <eric@anholt.net>
|
|
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
|
---
|
|
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
|
|
index db920771bfb5..c5fe3554858e 100644
|
|
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
|
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
|
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
|
|
args->shader_rec_count);
|
|
struct vc4_bo *bo;
|
|
|
|
- if (uniforms_offset < shader_rec_offset ||
|
|
+ if (shader_rec_offset < args->bin_cl_size ||
|
|
+ uniforms_offset < shader_rec_offset ||
|
|
exec_size < uniforms_offset ||
|
|
args->shader_rec_count >= (UINT_MAX /
|
|
sizeof(struct vc4_shader_state)) ||
|
|
--
|
|
2.11.0
|
|
|
|
_______________________________________________
|
|
dri-devel mailing list
|
|
dri-devel@lists.freedesktop.org
|
|
https://lists.freedesktop.org/mailman/listinfo/dri-devel
|
|
|
|
From: Eric Anholt <eric@anholt.net>
|
|
To: dri-devel@lists.freedesktop.org
|
|
Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
|
|
Date: Wed, 18 Jan 2017 07:20:50 +1100
|
|
|
|
By failing to set the errno, we'd continue on to trying to set up the
|
|
RCL, and then oops on trying to dereference the tile_bo that binning
|
|
validation should have set up.
|
|
|
|
Reported-by: Ingo Molnar <mingo@kernel.org>
|
|
Signed-off-by: Eric Anholt <eric@anholt.net>
|
|
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
|
---
|
|
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
|
|
index c5fe3554858e..ab3016982466 100644
|
|
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
|
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
|
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
|
|
sizeof(struct vc4_shader_state)) ||
|
|
temp_size < exec_size) {
|
|
DRM_ERROR("overflow in exec arguments\n");
|
|
+ ret = -EINVAL;
|
|
goto fail;
|
|
}
|
|
|
|
--
|
|
2.11.0
|
|
|
|
_______________________________________________
|
|
dri-devel mailing list
|
|
dri-devel@lists.freedesktop.org
|
|
https://lists.freedesktop.org/mailman/listinfo/dri-devel
|
|
|