From: Sasha Levin <sashal@kernel.org>
To: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Greg KH <greg@kroah.com>,
intel-gfx@lists.freedesktop.org, stable@vger.kernel.org
Subject: Re: [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory
Date: Wed, 3 Jul 2019 18:58:34 -0400 [thread overview]
Message-ID: <20190703225834.GD10104@sasha-vm> (raw)
In-Reply-To: <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1>
On Wed, Jul 03, 2019 at 09:24:03AM -0700, Lucas De Marchi wrote:
>On Wed, Jul 03, 2019 at 02:14:16PM +0200, Greg KH wrote:
>>On Tue, Jul 02, 2019 at 12:23:04PM -0700, Lucas De Marchi wrote:
>>>commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream.
>>>
>>>While loading the DMC firmware we were double checking the headers made
>>>sense, but in no place we checked that we were actually reading memory
>>>we were supposed to. This could be wrong in case the firmware file is
>>>truncated or malformed.
>>>
>>>Before this patch:
>>> # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
>>> -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin
>>> # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
>>> # modprobe i915
>>> # dmesg| grep -i dmc
>>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
>>> [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
>>>
>>>i.e. it loads random data. Now it fails like below:
>>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
>>> [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
>>> i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
>>> i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
>>>
>>>Before reading any part of the firmware file, validate the input first.
>>>
>>>Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
>>>Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
>>>Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
>>>Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com
>>>(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6)
>>>Signed-off-by: Jani Nikula <jani.nikula@intel.com>
>>>[ Lucas: backported to 4.9+ adjusting the context ]
>>>Cc: stable@vger.kernel.org # v4.9+
>>
>>What about a 4.14.y and 4.19.y backport as well? I can't take this
>>without those as we do not want people to upgrade and have a regression.
>
>The documentation about stable process explicitely says the meaning of
>the tag is 'For each "-stable" tree starting with the specified
>version.'. I tried to make it clear by using the '+' suffix as I saw in
>other commits in stable tree.
>
>This patch applies cleanly to 4.9, 4.14 and 4.19. This commit is already
>applied in 5.1 as it didn't need any backport. That was the intention, let me
>know if that is not the proper way.
>
>The only missing stable is 4.4, but that needs more changes to the
>patch.
This works, I've queued it up for 4.9-4.19, thank you!
--
Thanks,
Sasha
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Greg KH <greg@kroah.com>,
stable@vger.kernel.org, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory
Date: Wed, 3 Jul 2019 18:58:34 -0400 [thread overview]
Message-ID: <20190703225834.GD10104@sasha-vm> (raw)
In-Reply-To: <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1>
On Wed, Jul 03, 2019 at 09:24:03AM -0700, Lucas De Marchi wrote:
>On Wed, Jul 03, 2019 at 02:14:16PM +0200, Greg KH wrote:
>>On Tue, Jul 02, 2019 at 12:23:04PM -0700, Lucas De Marchi wrote:
>>>commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream.
>>>
>>>While loading the DMC firmware we were double checking the headers made
>>>sense, but in no place we checked that we were actually reading memory
>>>we were supposed to. This could be wrong in case the firmware file is
>>>truncated or malformed.
>>>
>>>Before this patch:
>>> # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
>>> -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin
>>> # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
>>> # modprobe i915
>>> # dmesg| grep -i dmc
>>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
>>> [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
>>>
>>>i.e. it loads random data. Now it fails like below:
>>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
>>> [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
>>> i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
>>> i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
>>>
>>>Before reading any part of the firmware file, validate the input first.
>>>
>>>Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
>>>Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
>>>Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
>>>Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com
>>>(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6)
>>>Signed-off-by: Jani Nikula <jani.nikula@intel.com>
>>>[ Lucas: backported to 4.9+ adjusting the context ]
>>>Cc: stable@vger.kernel.org # v4.9+
>>
>>What about a 4.14.y and 4.19.y backport as well? I can't take this
>>without those as we do not want people to upgrade and have a regression.
>
>The documentation about stable process explicitely says the meaning of
>the tag is 'For each "-stable" tree starting with the specified
>version.'. I tried to make it clear by using the '+' suffix as I saw in
>other commits in stable tree.
>
>This patch applies cleanly to 4.9, 4.14 and 4.19. This commit is already
>applied in 5.1 as it didn't need any backport. That was the intention, let me
>know if that is not the proper way.
>
>The only missing stable is 4.4, but that needs more changes to the
>patch.
This works, I've queued it up for 4.9-4.19, thank you!
--
Thanks,
Sasha
next prev parent reply other threads:[~2019-07-03 22:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 19:23 [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory Lucas De Marchi
2019-07-02 21:24 ` ✗ Fi.CI.BAT: failure for drm/i915/dmc: protect against reading random memory (rev2) Patchwork
2019-07-03 12:14 ` [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory Greg KH
2019-07-03 16:24 ` Lucas De Marchi
2019-07-03 22:58 ` Sasha Levin [this message]
2019-07-03 22:58 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190703225834.GD10104@sasha-vm \
--to=sashal@kernel.org \
--cc=greg@kroah.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.