From: Michal Srb <msrb@suse.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH v2 2/2] drm/i915/cmdparser: Do not check past the cmd length.
Date: Mon, 5 Feb 2018 16:17:45 +0100 [thread overview]
Message-ID: <20180205151745.29292-1-msrb@suse.com> (raw)
In-Reply-To: <151784210673.15322.7894069362975757643@mail.alporthouse.com>
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is
possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2.
In that case check_cmd will read bits from the following command, or even past
the end of the buffer.
If the offset ends up outside of the command length, reject the command.
Signed-off-by: Michal Srb <msrb@suse.com>
---
v2: Return false instead of continuing - reject the command instead of
ignoring.
drivers/gpu/drm/i915/i915_cmd_parser.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c
index de7ec59433d1..ef7ad016d67c 100644
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
+++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
@@ -1218,6 +1218,12 @@ static bool check_cmd(const struct intel_engine_cs *engine,
continue;
}
+ if (desc->bits[i].offset >= length) {
+ DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X, too short to check bitmask (%s)\n",
+ *cmd, engine->name);
+ return false;
+ }
+
dword = cmd[desc->bits[i].offset] &
desc->bits[i].mask;
--
2.13.6
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2018-02-05 15:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-05 14:29 [PATCH 0/2] Fixes in drm/i915/cmdparser Michal Srb
2018-02-05 14:29 ` [PATCH 1/2] drm/i915/cmdparser: Check reg_table_count before derefencing Michal Srb
2018-02-05 14:29 ` [PATCH 2/2] drm/i915/cmdparser: Do not check past the cmd length Michal Srb
2018-02-05 14:48 ` Chris Wilson
2018-02-05 15:17 ` Michal Srb [this message]
2018-02-05 16:04 ` [PATCH v2 " Chris Wilson
2018-02-05 20:50 ` Chris Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180205151745.29292-1-msrb@suse.com \
--to=msrb@suse.com \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.