From: Alex Deucher <alexdeucher@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Hawking Zhang" <Hawking.Zhang@amd.com>,
"Feifei Xu" <Feifei.Xu@amd.com>, "Likun Gao" <Likun.Gao@amd.com>,
"Jiawei Gu" <Jiawei.Gu@amd.com>, "Evan Quan" <evan.quan@amd.com>,
"amd-gfx list" <amd-gfx@lists.freedesktop.org>,
"Maling list - DRI developers" <dri-devel@lists.freedesktop.org>,
"Lijo Lazar" <lijo.lazar@amd.com>,
"Darren Powell" <darren.powell@amd.com>,
"Huang Rui" <ray.huang@amd.com>,
"Xiaojian Du" <Xiaojian.Du@amd.com>,
"Ryan Taylor" <Ryan.Taylor@amd.com>,
"Graham Sider" <Graham.Sider@amd.com>,
"Luben Tuikov" <luben.tuikov@amd.com>,
"Andrey Grodzovsky" <andrey.grodzovsky@amd.com>,
"Kevin Wang" <kevin1.wang@amd.com>,
"David M Nieto" <david.nieto@amd.com>,
"Lee Jones" <lee.jones@linaro.org>,
"John Clements" <john.clements@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3] drm/amd/pm: And destination bounds checking to struct copy
Date: Fri, 27 Aug 2021 14:21:37 -0400 [thread overview]
Message-ID: <CADnq5_M6f_3vs3zjPG=hA074iBDWRQ_JDLu-gMpiJNEk1Jfpew@mail.gmail.com> (raw)
In-Reply-To: <20210827031647.2069945-1-keescook@chromium.org>
Applied. Thanks!
Alex
On Thu, Aug 26, 2021 at 11:16 PM Kees Cook <keescook@chromium.org> wrote:
>
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> The "Board Parameters" members of the structs:
> struct atom_smc_dpm_info_v4_5
> struct atom_smc_dpm_info_v4_6
> struct atom_smc_dpm_info_v4_7
> struct atom_smc_dpm_info_v4_10
> are written to the corresponding members of the corresponding PPTable_t
> variables, but they lack destination size bounds checking, which means
> the compiler cannot verify at compile time that this is an intended and
> safe memcpy().
>
> Since the header files are effectively immutable[1] and a struct_group()
> cannot be used, nor a common struct referenced by both sides of the
> memcpy() arguments, add a new helper, amdgpu_memcpy_trailing(), to
> perform the bounds checking at compile time. Replace the open-coded
> memcpy()s with amdgpu_memcpy_trailing() which includes enough context
> for the bounds checking.
>
> "objdump -d" shows no object code changes.
>
> [1] https://lore.kernel.org/lkml/e56aad3c-a06f-da07-f491-a894a570d78f@amd.com
>
> Cc: "Christian König" <christian.koenig@amd.com>
> Cc: "Pan, Xinhui" <Xinhui.Pan@amd.com>
> Cc: David Airlie <airlied@linux.ie>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Hawking Zhang <Hawking.Zhang@amd.com>
> Cc: Feifei Xu <Feifei.Xu@amd.com>
> Cc: Likun Gao <Likun.Gao@amd.com>
> Cc: Jiawei Gu <Jiawei.Gu@amd.com>
> Cc: Evan Quan <evan.quan@amd.com>
> Cc: amd-gfx@lists.freedesktop.org
> Cc: dri-devel@lists.freedesktop.org
> Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
> Acked-by: Alex Deucher <alexander.deucher@amd.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v3: rename amdgpu_memcpy_trailing() to smu_memcpy_trailing()
> v2: https://lore.kernel.org/lkml/20210825161957.3904130-1-keescook@chromium.org
> v1: https://lore.kernel.org/lkml/20210819201441.3545027-1-keescook@chromium.org
> ---
> drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h | 24 +++++++++++++++++++
> .../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 6 ++---
> .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 8 +++----
> .../drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 5 ++--
> 4 files changed, 32 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h b/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h
> index 715b4225f5ee..8156729c370b 100644
> --- a/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h
> +++ b/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h
> @@ -1335,6 +1335,30 @@ enum smu_cmn2asic_mapping_type {
> #define WORKLOAD_MAP(profile, workload) \
> [profile] = {1, (workload)}
>
> +/**
> + * smu_memcpy_trailing - Copy the end of one structure into the middle of another
> + *
> + * @dst: Pointer to destination struct
> + * @first_dst_member: The member name in @dst where the overwrite begins
> + * @last_dst_member: The member name in @dst where the overwrite ends after
> + * @src: Pointer to the source struct
> + * @first_src_member: The member name in @src where the copy begins
> + *
> + */
> +#define smu_memcpy_trailing(dst, first_dst_member, last_dst_member, \
> + src, first_src_member) \
> +({ \
> + size_t __src_offset = offsetof(typeof(*(src)), first_src_member); \
> + size_t __src_size = sizeof(*(src)) - __src_offset; \
> + size_t __dst_offset = offsetof(typeof(*(dst)), first_dst_member); \
> + size_t __dst_size = offsetofend(typeof(*(dst)), last_dst_member) - \
> + __dst_offset; \
> + BUILD_BUG_ON(__src_size != __dst_size); \
> + __builtin_memcpy((u8 *)(dst) + __dst_offset, \
> + (u8 *)(src) + __src_offset, \
> + __dst_size); \
> +})
> +
> #if !defined(SWSMU_CODE_LAYER_L2) && !defined(SWSMU_CODE_LAYER_L3) && !defined(SWSMU_CODE_LAYER_L4)
> int smu_get_power_limit(void *handle,
> uint32_t *limit,
> diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
> index 273df66cac14..e343cc218990 100644
> --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
> +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
> @@ -483,10 +483,8 @@ static int arcturus_append_powerplay_table(struct smu_context *smu)
>
> if ((smc_dpm_table->table_header.format_revision == 4) &&
> (smc_dpm_table->table_header.content_revision == 6))
> - memcpy(&smc_pptable->MaxVoltageStepGfx,
> - &smc_dpm_table->maxvoltagestepgfx,
> - sizeof(*smc_dpm_table) - offsetof(struct atom_smc_dpm_info_v4_6, maxvoltagestepgfx));
> -
> + smu_memcpy_trailing(smc_pptable, MaxVoltageStepGfx, BoardReserved,
> + smc_dpm_table, maxvoltagestepgfx);
> return 0;
> }
>
> diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
> index f96681700c41..a5fc5d7cb6c7 100644
> --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
> +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
> @@ -431,16 +431,16 @@ static int navi10_append_powerplay_table(struct smu_context *smu)
>
> switch (smc_dpm_table->table_header.content_revision) {
> case 5: /* nv10 and nv14 */
> - memcpy(smc_pptable->I2cControllers, smc_dpm_table->I2cControllers,
> - sizeof(*smc_dpm_table) - sizeof(smc_dpm_table->table_header));
> + smu_memcpy_trailing(smc_pptable, I2cControllers, BoardReserved,
> + smc_dpm_table, I2cControllers);
> break;
> case 7: /* nv12 */
> ret = amdgpu_atombios_get_data_table(adev, index, NULL, NULL, NULL,
> (uint8_t **)&smc_dpm_table_v4_7);
> if (ret)
> return ret;
> - memcpy(smc_pptable->I2cControllers, smc_dpm_table_v4_7->I2cControllers,
> - sizeof(*smc_dpm_table_v4_7) - sizeof(smc_dpm_table_v4_7->table_header));
> + smu_memcpy_trailing(smc_pptable, I2cControllers, BoardReserved,
> + smc_dpm_table_v4_7, I2cControllers);
> break;
> default:
> dev_err(smu->adev->dev, "smc_dpm_info with unsupported content revision %d!\n",
> diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
> index ec8c30daf31c..ab652028e003 100644
> --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
> +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
> @@ -409,9 +409,8 @@ static int aldebaran_append_powerplay_table(struct smu_context *smu)
>
> if ((smc_dpm_table->table_header.format_revision == 4) &&
> (smc_dpm_table->table_header.content_revision == 10))
> - memcpy(&smc_pptable->GfxMaxCurrent,
> - &smc_dpm_table->GfxMaxCurrent,
> - sizeof(*smc_dpm_table) - offsetof(struct atom_smc_dpm_info_v4_10, GfxMaxCurrent));
> + smu_memcpy_trailing(smc_pptable, GfxMaxCurrent, reserved,
> + smc_dpm_table, GfxMaxCurrent);
> return 0;
> }
>
> --
> 2.30.2
>
prev parent reply other threads:[~2021-08-27 18:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-27 3:16 [PATCH v3] drm/amd/pm: And destination bounds checking to struct copy Kees Cook
2021-08-27 18:21 ` Alex Deucher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADnq5_M6f_3vs3zjPG=hA074iBDWRQ_JDLu-gMpiJNEk1Jfpew@mail.gmail.com' \
--to=alexdeucher@gmail.com \
--cc=Feifei.Xu@amd.com \
--cc=Graham.Sider@amd.com \
--cc=Hawking.Zhang@amd.com \
--cc=Jiawei.Gu@amd.com \
--cc=Likun.Gao@amd.com \
--cc=Ryan.Taylor@amd.com \
--cc=Xiaojian.Du@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=andrey.grodzovsky@amd.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=darren.powell@amd.com \
--cc=david.nieto@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=evan.quan@amd.com \
--cc=john.clements@amd.com \
--cc=keescook@chromium.org \
--cc=kevin1.wang@amd.com \
--cc=lee.jones@linaro.org \
--cc=lijo.lazar@amd.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luben.tuikov@amd.com \
--cc=ray.huang@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).