| From: Michal Srb <msrb@suse.com> |
| Date: Mon, 5 Feb 2018 16:04:38 +0000 |
| Subject: drm/i915/cmdparser: Do not check past the cmd length. |
| |
| commit 3aec7f871c65eb5f76b4125fda432593c834a6f2 upstream. |
| |
| The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is |
| possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. |
| In that case check_cmd will read bits from the following command, or even past |
| the end of the buffer. |
| |
| If the offset ends up outside of the command length, reject the command. |
| |
| Fixes: 351e3db2b363 ("drm/i915: Implement command buffer parsing logic") |
| Signed-off-by: Michal Srb <msrb@suse.com> |
| Link: https://patchwork.freedesktop.org/patch/msgid/20180205151745.29292-1-msrb@suse.com |
| Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> |
| Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> |
| Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-2-chris@chris-wilson.co.uk |
| [bwh: Backported to 3.16: Log ring->id rather than engine->name] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/gpu/drm/i915/i915_cmd_parser.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/drivers/gpu/drm/i915/i915_cmd_parser.c |
| +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c |
| @@ -941,6 +941,12 @@ static bool check_cmd(const struct intel |
| continue; |
| } |
| |
| + if (desc->bits[i].offset >= length) { |
| + DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X, too short to check bitmask (ring=%d)\n", |
| + *cmd, ring->id); |
| + return false; |
| + } |
| + |
| dword = cmd[desc->bits[i].offset] & |
| desc->bits[i].mask; |
| |