[patch 3/4] drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()

From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Airlie <airlied@linux.ie>,
	Ilja Van Sprundel <ivansprundel@ioactive.com>
Cc: security@kernel.org, "Marek Olšák" <marek.olsak@amd.com>,
	dri-devel@lists.freedesktop.org,
	"Alex Deucher" <alexander.deucher@amd.com>,
	"Christian König" <christian.koenig@amd.com>,
	"monk.liu" <monk.liu@amd.com>
Subject: [patch 3/4] drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()
Date: Wed, 23 Sep 2015 14:00:35 +0300	[thread overview]
Message-ID: <20150923110035.GC16158@mwanda> (raw)
In-Reply-To: <13E61BCA7787794E89BDF39B8DE40C024D12E9F63F@ioaexchange.ioactive.local>

There is no limit on args->data.data_size_bytes so we could read beyond
the end of the args->data.data[] array.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 5839fab..dac14de 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -426,6 +426,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
 					   &args->data.data_size_bytes,
 					   &args->data.flags);
 	} else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {
+		if (args->data.data_size_bytes > sizeof(args->data.data)) {
+			r = -EINVAL;
+			goto unreserve;
+		}
 		r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);
 		if (!r)
 			r = amdgpu_bo_set_metadata(robj, args->data.data,
@@ -433,6 +437,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
 						   args->data.flags);
 	}
 
+unreserve:
 	amdgpu_bo_unreserve(robj);
 out:
 	drm_gem_object_unreference_unlocked(gobj);
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
