From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH] drm/i915/dmc: protect against reading random memory
Date: Wed, 3 Jul 2019 22:43:25 +0300 [thread overview]
Message-ID: <20190703194325.GD5942@intel.com> (raw)
In-Reply-To: <20190605235535.17791-1-lucas.demarchi@intel.com>
On Wed, Jun 05, 2019 at 04:55:35PM -0700, Lucas De Marchi wrote:
> While loading the DMC firmware we were double checking the headers made
> sense, but in no place we checked that we were actually reading memory
> we were supposed to. This could be wrong in case the firmware file is
> truncated or malformed.
Random idea: Should we hash the file and store the hash in the driver?
If the file gets corrupted in other ways this would prevent us feeding
garbage to the dmc. Although it would then make testing firmware
modifications a bit more tedious as you'd have to adjust the hash or
bypass the check somehow.
>
> Before this patch:
> # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
> -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin
> # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
> # modprobe i915
> # dmesg| grep -i dmc
> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
> [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
>
> i.e. it loads random data. Now it fails like below:
> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
> [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
> i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
> i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
>
> Before reading any part of the firmware file, validate the input first.
>
> Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
> ---
>
> This has been extracted from the bigger series
> https://patchwork.freedesktop.org/series/61016/ in a way that can be
> propagated to stable.
>
> drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/intel_csr.c b/drivers/gpu/drm/i915/intel_csr.c
> index 4527b9662330..bf0eebd385b9 100644
> --- a/drivers/gpu/drm/i915/intel_csr.c
> +++ b/drivers/gpu/drm/i915/intel_csr.c
> @@ -303,10 +303,17 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
> u32 dmc_offset = CSR_DEFAULT_FW_OFFSET, readcount = 0, nbytes;
> u32 i;
> u32 *dmc_payload;
> + size_t fsize;
>
> if (!fw)
> return NULL;
>
> + fsize = sizeof(struct intel_css_header) +
> + sizeof(struct intel_package_header) +
> + sizeof(struct intel_dmc_header);
> + if (fsize > fw->size)
> + goto error_truncated;
> +
> /* Extract CSS Header information*/
> css_header = (struct intel_css_header *)fw->data;
> if (sizeof(struct intel_css_header) !=
> @@ -366,6 +373,9 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
> /* Convert dmc_offset into number of bytes. By default it is in dwords*/
> dmc_offset *= 4;
> readcount += dmc_offset;
> + fsize += dmc_offset;
> + if (fsize > fw->size)
> + goto error_truncated;
>
> /* Extract dmc_header information. */
> dmc_header = (struct intel_dmc_header *)&fw->data[readcount];
> @@ -397,6 +407,10 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
>
> /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */
> nbytes = dmc_header->fw_size * 4;
> + fsize += nbytes;
> + if (fsize > fw->size)
> + goto error_truncated;
> +
> if (nbytes > csr->max_fw_size) {
> DRM_ERROR("DMC FW too big (%u bytes)\n", nbytes);
> return NULL;
> @@ -410,6 +424,10 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
> }
>
> return memcpy(dmc_payload, &fw->data[readcount], nbytes);
> +
> +error_truncated:
> + DRM_ERROR("Truncated DMC firmware, rejecting.\n");
> + return NULL;
> }
>
> static void intel_csr_runtime_pm_get(struct drm_i915_private *dev_priv)
> --
> 2.21.0
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Ville Syrjälä
Intel
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
prev parent reply other threads:[~2019-07-03 19:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 23:55 [PATCH] drm/i915/dmc: protect against reading random memory Lucas De Marchi
2019-06-06 0:14 ` ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2019-06-06 0:38 ` ✓ Fi.CI.BAT: success " Patchwork
2019-06-06 13:16 ` [PATCH] " Rodrigo Vivi
2019-07-03 19:43 ` Ville Syrjälä [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190703194325.GD5942@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=daniel.vetter@ffwll.ch \
--cc=intel-gfx@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.