From: Yu Zhao <yuzhao@google.com>
To: "Michel Dänzer" <michel@daenzer.net>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>
Cc: David Zhou <David1.Zhou@amd.com>, Samuel Li <Samuel.Li@amd.com>,
Harry Wentland <harry.wentland@amd.com>,
Junwei Zhang <Jerry.Zhang@amd.com>,
Daniel Stone <daniels@collabora.com>,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, Yu Zhao <yuzhao@google.com>,
stable@vger.kernel.org
Subject: [PATCH v6 2/2] drm/amd: validate user GEM object size
Date: Mon, 7 Jan 2019 15:51:15 -0700 [thread overview]
Message-ID: <20190107225115.163992-2-yuzhao@google.com> (raw)
In-Reply-To: <20190107225115.163992-1-yuzhao@google.com>
When creating frame buffer, userspace may request to attach to a
previously allocated GEM object that is smaller than what GPU
requires. Validation must be done to prevent out-of-bound DMA,
otherwise it could be exploited to reveal sensitive data.
This fix is not done in a common code path because individual
driver might have different requirement.
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Yu Zhao <yuzhao@google.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index de9f198d5371..32b7648b7ef4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
struct drm_gem_object *obj;
struct amdgpu_framebuffer *amdgpu_fb;
int ret;
+ int height;
struct amdgpu_device *adev = dev->dev_private;
int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
int pitch = mode_cmd->pitches[0] / cpp;
@@ -551,6 +552,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
return ERR_PTR(-EINVAL);
}
+ height = ALIGN(mode_cmd->height, 8);
+ if (obj->size < pitch * height) {
+ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n",
+ pitch * height, obj->size);
+ return ERR_PTR(-EINVAL);
+ }
+
amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
if (amdgpu_fb == NULL) {
drm_gem_object_put_unlocked(obj);
--
2.20.1.97.g81188d93c3-goog
next prev parent reply other threads:[~2019-01-07 22:51 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 3:10 [PATCH 1/3] drm/amd: fix race in page flip job Yu Zhao
2018-12-21 3:10 ` [PATCH 2/3] drm/amd: validate user pitch alignment Yu Zhao
[not found] ` <20181221031053.240161-2-yuzhao-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2018-12-21 9:04 ` Michel Dänzer
2018-12-21 9:04 ` Michel Dänzer
2018-12-21 9:07 ` Michel Dänzer
2018-12-21 9:07 ` Michel Dänzer
2018-12-21 19:41 ` Yu Zhao
2018-12-23 21:44 ` Yu Zhao
2018-12-27 11:54 ` Michel Dänzer
2018-12-27 11:54 ` Michel Dänzer
2018-12-21 19:47 ` [PATCH v2 1/2] " Yu Zhao
2018-12-21 19:47 ` [PATCH v2 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-22 9:40 ` kbuild test robot
2018-12-22 9:40 ` kbuild test robot
[not found] ` <20181221194739.25523-2-yuzhao-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2018-12-23 7:46 ` kbuild test robot
2018-12-23 7:46 ` kbuild test robot
2018-12-22 19:27 ` [PATCH v3 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-22 19:27 ` [PATCH v3 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-23 21:52 ` [PATCH v4 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-23 21:52 ` [PATCH v4 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-30 1:00 ` [PATCH v5 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-30 1:00 ` [PATCH v5 2/2] drm/amd: validate user GEM object size Yu Zhao
2019-01-03 16:33 ` [PATCH v5 1/2] drm/amd: validate user pitch alignment Michel Dänzer
2019-01-03 16:33 ` Michel Dänzer
2019-01-07 4:00 ` Yu Zhao
[not found] ` <20190107040038.GA180037-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2019-01-07 9:54 ` Michel Dänzer
2019-01-07 9:54 ` Michel Dänzer
2019-01-07 22:51 ` [PATCH v6 " Yu Zhao
2019-01-07 22:51 ` Yu Zhao [this message]
[not found] ` <20190107225115.163992-1-yuzhao-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2019-01-08 15:25 ` Michel Dänzer
2019-01-08 15:25 ` Michel Dänzer
2018-12-21 3:10 ` [PATCH 3/3] drm/amd: validate user GEM object size Yu Zhao
[not found] ` <20181221031053.240161-3-yuzhao-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2018-12-21 9:09 ` Michel Dänzer
2018-12-21 9:09 ` Michel Dänzer
2018-12-22 4:51 ` kbuild test robot
2018-12-22 4:51 ` kbuild test robot
2018-12-22 2:15 ` kbuild test robot
2018-12-21 8:56 ` [PATCH 1/3] drm/amd: fix race in page flip job Michel Dänzer
2018-12-21 8:56 ` Michel Dänzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190107225115.163992-2-yuzhao@google.com \
--to=yuzhao@google.com \
--cc=David1.Zhou@amd.com \
--cc=Jerry.Zhang@amd.com \
--cc=Samuel.Li@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=daniels@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=michel@daenzer.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.