diff options
Diffstat (limited to 'drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch')
| -rw-r--r-- | drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch new file mode 100644 index 000000000..37f012073 --- /dev/null +++ b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch @@ -0,0 +1,82 @@ +From: Eric Anholt <eric@anholt.net> +To: dri-devel@lists.freedesktop.org +Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary + allocation layout. +Date: Wed, 18 Jan 2017 07:20:49 +1100 + +We copy the unvalidated ioctl arguments from the user into kernel +temporary memory to run the validation from, to avoid a race where the +user updates the unvalidate contents in between validating them and +copying them into the validated BO. + +However, in setting up the layout of the kernel side, we failed to +check one of the additions (the roundup() for shader_rec_offset) +against integer overflow, allowing a nearly MAX_UINT value of +bin_cl_size to cause us to under-allocate the temporary space that we +then copy_from_user into. + +Reported-by: Murray McAllister <murray.mcallister@insomniasec.com> +Signed-off-by: Eric Anholt <eric@anholt.net> +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +--- + drivers/gpu/drm/vc4/vc4_gem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index db920771bfb5..c5fe3554858e 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) + args->shader_rec_count); + struct vc4_bo *bo; + +- if (uniforms_offset < shader_rec_offset || ++ if (shader_rec_offset < args->bin_cl_size || ++ uniforms_offset < shader_rec_offset || + exec_size < uniforms_offset || + args->shader_rec_count >= (UINT_MAX / + sizeof(struct vc4_shader_state)) || +-- +2.11.0 + +_______________________________________________ +dri-devel mailing list +dri-devel@lists.freedesktop.org +https://lists.freedesktop.org/mailman/listinfo/dri-devel + +From: Eric Anholt <eric@anholt.net> +To: dri-devel@lists.freedesktop.org +Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing. +Date: Wed, 18 Jan 2017 07:20:50 +1100 + +By failing to set the errno, we'd continue on to trying to set up the +RCL, and then oops on trying to dereference the tile_bo that binning +validation should have set up. + +Reported-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Eric Anholt <eric@anholt.net> +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index c5fe3554858e..ab3016982466 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) + sizeof(struct vc4_shader_state)) || + temp_size < exec_size) { + DRM_ERROR("overflow in exec arguments\n"); ++ ret = -EINVAL; + goto fail; + } + +-- +2.11.0 + +_______________________________________________ +dri-devel mailing list +dri-devel@lists.freedesktop.org +https://lists.freedesktop.org/mailman/listinfo/dri-devel + |