From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: Re: [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory Date: Wed, 3 Jul 2019 18:58:34 -0400 Message-ID: <20190703225834.GD10104@sasha-vm> References: <20190702192304.31955-1-lucas.demarchi@intel.com> <20190703121416.GD7784@kroah.com> <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id D6CAA6E1CE for ; Wed, 3 Jul 2019 22:58:35 +0000 (UTC) Content-Disposition: inline In-Reply-To: <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" To: Lucas De Marchi Cc: Greg KH , intel-gfx@lists.freedesktop.org, stable@vger.kernel.org List-Id: intel-gfx@lists.freedesktop.org T24gV2VkLCBKdWwgMDMsIDIwMTkgYXQgMDk6MjQ6MDNBTSAtMDcwMCwgTHVjYXMgRGUgTWFyY2hp IHdyb3RlOgo+T24gV2VkLCBKdWwgMDMsIDIwMTkgYXQgMDI6MTQ6MTZQTSArMDIwMCwgR3JlZyBL SCB3cm90ZToKPj5PbiBUdWUsIEp1bCAwMiwgMjAxOSBhdCAxMjoyMzowNFBNIC0wNzAwLCBMdWNh cyBEZSBNYXJjaGkgd3JvdGU6Cj4+PmNvbW1pdCBiYzdiNDg4YjFkMWM3MWRjNGM1MTgyMjA2OTEx MTI3YmM2YzQxMGQ2IHVwc3RyZWFtLgo+Pj4KPj4+V2hpbGUgbG9hZGluZyB0aGUgRE1DIGZpcm13 YXJlIHdlIHdlcmUgZG91YmxlIGNoZWNraW5nIHRoZSBoZWFkZXJzIG1hZGUKPj4+c2Vuc2UsIGJ1 dCBpbiBubyBwbGFjZSB3ZSBjaGVja2VkIHRoYXQgd2Ugd2VyZSBhY3R1YWxseSByZWFkaW5nIG1l bW9yeQo+Pj53ZSB3ZXJlIHN1cHBvc2VkIHRvLiBUaGlzIGNvdWxkIGJlIHdyb25nIGluIGNhc2Ug dGhlIGZpcm13YXJlIGZpbGUgaXMKPj4+dHJ1bmNhdGVkIG9yIG1hbGZvcm1lZC4KPj4+Cj4+PkJl Zm9yZSB0aGlzIHBhdGNoOgo+Pj4JIyBscyAtbCAvbGliL2Zpcm13YXJlL2k5MTUvaWNsX2RtY192 ZXIxXzA3LmJpbgo+Pj4JLXJ3LXItLXItLSAxIHJvb3Qgcm9vdCAgMjU3MTYgRmViICAxIDEyOjI2 IGljbF9kbWNfdmVyMV8wNy5iaW4KPj4+CSMgdHJ1bmNhdGUgLXMgMjU3MDAgL2xpYi9maXJtd2Fy ZS9pOTE1L2ljbF9kbWNfdmVyMV8wNy5iaW4KPj4+CSMgbW9kcHJvYmUgaTkxNQo+Pj4JIyBkbWVz Z3wgZ3JlcCAtaSBkbWMKPj4+CVtkcm06aW50ZWxfY3NyX3Vjb2RlX2luaXQgW2k5MTVdXSBMb2Fk aW5nIGk5MTUvaWNsX2RtY192ZXIxXzA3LmJpbgo+Pj4JW2RybV0gRmluaXNoZWQgbG9hZGluZyBE TUMgZmlybXdhcmUgaTkxNS9pY2xfZG1jX3ZlcjFfMDcuYmluICh2MS43KQo+Pj4KPj4+aS5lLiBp dCBsb2FkcyByYW5kb20gZGF0YS4gTm93IGl0IGZhaWxzIGxpa2UgYmVsb3c6Cj4+PglbZHJtOmlu dGVsX2Nzcl91Y29kZV9pbml0IFtpOTE1XV0gTG9hZGluZyBpOTE1L2ljbF9kbWNfdmVyMV8wNy5i aW4KPj4+CVtkcm06Y3NyX2xvYWRfd29ya19mbiBbaTkxNV1dICpFUlJPUiogVHJ1bmNhdGVkIERN QyBmaXJtd2FyZSwgcmVqZWN0aW5nLgo+Pj4JaTkxNSAwMDAwOjAwOjAyLjA6IEZhaWxlZCB0byBs b2FkIERNQyBmaXJtd2FyZSBpOTE1L2ljbF9kbWNfdmVyMV8wNy5iaW4uIERpc2FibGluZyBydW50 aW1lIHBvd2VyIG1hbmFnZW1lbnQuCj4+PglpOTE1IDAwMDA6MDA6MDIuMDogRE1DIGZpcm13YXJl IGhvbWVwYWdlOiBodHRwczovL2dpdC5rZXJuZWwub3JnL3B1Yi9zY20vbGludXgva2VybmVsL2dp dC9maXJtd2FyZS9saW51eC1maXJtd2FyZS5naXQvdHJlZS9pOTE1Cj4+Pgo+Pj5CZWZvcmUgcmVh ZGluZyBhbnkgcGFydCBvZiB0aGUgZmlybXdhcmUgZmlsZSwgdmFsaWRhdGUgdGhlIGlucHV0IGZp cnN0Lgo+Pj4KPj4+Rml4ZXM6IGViODA1NjIzZDhiMSAoImRybS9pOTE1L3NrbDogQWRkIHN1cHBv cnQgdG8gbG9hZCBTS0wgQ1NSIGZpcm13YXJlLiIpCj4+PlNpZ25lZC1vZmYtYnk6IEx1Y2FzIERl IE1hcmNoaSA8bHVjYXMuZGVtYXJjaGlAaW50ZWwuY29tPgo+Pj5SZXZpZXdlZC1ieTogUm9kcmln byBWaXZpIDxyb2RyaWdvLnZpdmlAaW50ZWwuY29tPgo+Pj5MaW5rOiBodHRwczovL3BhdGNod29y ay5mcmVlZGVza3RvcC5vcmcvcGF0Y2gvbXNnaWQvMjAxOTA2MDUyMzU1MzUuMTc3OTEtMS1sdWNh cy5kZW1hcmNoaUBpbnRlbC5jb20KPj4+KGNoZXJyeSBwaWNrZWQgZnJvbSBjb21taXQgYmM3YjQ4 OGIxZDFjNzFkYzRjNTE4MjIwNjkxMTEyN2JjNmM0MTBkNikKPj4+U2lnbmVkLW9mZi1ieTogSmFu aSBOaWt1bGEgPGphbmkubmlrdWxhQGludGVsLmNvbT4KPj4+WyBMdWNhczogYmFja3BvcnRlZCB0 byA0LjkrIGFkanVzdGluZyB0aGUgY29udGV4dCBdCj4+PkNjOiBzdGFibGVAdmdlci5rZXJuZWwu b3JnICMgdjQuOSsKPj4KPj5XaGF0IGFib3V0IGEgNC4xNC55IGFuZCA0LjE5LnkgYmFja3BvcnQg YXMgd2VsbD8gICBJIGNhbid0IHRha2UgdGhpcwo+PndpdGhvdXQgdGhvc2UgYXMgd2UgZG8gbm90 IHdhbnQgcGVvcGxlIHRvIHVwZ3JhZGUgYW5kIGhhdmUgYSByZWdyZXNzaW9uLgo+Cj5UaGUgZG9j dW1lbnRhdGlvbiBhYm91dCBzdGFibGUgcHJvY2VzcyBleHBsaWNpdGVseSBzYXlzIHRoZSBtZWFu aW5nIG9mCj50aGUgdGFnIGlzICdGb3IgZWFjaCAiLXN0YWJsZSIgdHJlZSBzdGFydGluZyB3aXRo IHRoZSBzcGVjaWZpZWQKPnZlcnNpb24uJy4gSSB0cmllZCB0byBtYWtlIGl0IGNsZWFyIGJ5IHVz aW5nIHRoZSAnKycgc3VmZml4IGFzIEkgc2F3IGluCj5vdGhlciBjb21taXRzIGluIHN0YWJsZSB0 cmVlLgo+Cj5UaGlzIHBhdGNoIGFwcGxpZXMgY2xlYW5seSB0byA0LjksIDQuMTQgYW5kIDQuMTku IFRoaXMgY29tbWl0IGlzIGFscmVhZHkKPmFwcGxpZWQgaW4gNS4xIGFzIGl0IGRpZG4ndCBuZWVk IGFueSBiYWNrcG9ydC4gVGhhdCB3YXMgdGhlIGludGVudGlvbiwgbGV0IG1lCj5rbm93IGlmIHRo YXQgaXMgbm90IHRoZSBwcm9wZXIgd2F5Lgo+Cj5UaGUgb25seSBtaXNzaW5nIHN0YWJsZSBpcyA0 LjQsIGJ1dCB0aGF0IG5lZWRzIG1vcmUgY2hhbmdlcyB0byB0aGUKPnBhdGNoLgoKVGhpcyB3b3Jr cywgSSd2ZSBxdWV1ZWQgaXQgdXAgZm9yIDQuOS00LjE5LCB0aGFuayB5b3UhCgotLQpUaGFua3Ms ClNhc2hhCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCklu dGVsLWdmeCBtYWlsaW5nIGxpc3QKSW50ZWwtZ2Z4QGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRw czovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ludGVsLWdmeA== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C95C5C5B578 for ; Wed, 3 Jul 2019 22:58:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9E039218A0 for ; Wed, 3 Jul 2019 22:58:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562194717; bh=1hp6cqHg6/+eEOnsGalmXc7FaMl1emsGZU5kfEwo8Eg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=0GoSeKWLxZYnEzW5VY2N1bAz2OnYxcwaJYdhYymajcc5k51qraSsQctEPUby59nz5 vxCJezdNdzuxZhMLX34y5vZiVFxTCi/ko13tktU1YGVbgpaFL5Oe0tMyrRCA9Zqoq3 JGQZ2XM4D699HNFZ+/A6mSCKx8ElhxQCuJywRx08= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727021AbfGCW6h (ORCPT ); Wed, 3 Jul 2019 18:58:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:34460 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726902AbfGCW6h (ORCPT ); Wed, 3 Jul 2019 18:58:37 -0400 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 621C021852; Wed, 3 Jul 2019 22:58:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562194715; bh=1hp6cqHg6/+eEOnsGalmXc7FaMl1emsGZU5kfEwo8Eg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KXx9MjjOeVtTQJbCYLUzCqj1nUXRRCiLRhO/ziDEv13/1+0VTlglf491so0DUU2ot LcLiC3sMQQjSpbljqIm1I/QxnBPfI63KIPCj7x+sWTGcYyPf/OTpNqPwSdb07nsuqi KlTk3VFhfiGTcovqyRbQEVJPVXDLva+NSJzv3HxM= Date: Wed, 3 Jul 2019 18:58:34 -0400 From: Sasha Levin To: Lucas De Marchi Cc: Greg KH , stable@vger.kernel.org, intel-gfx@lists.freedesktop.org Subject: Re: [PATCH stable-4.9+] drm/i915/dmc: protect against reading random memory Message-ID: <20190703225834.GD10104@sasha-vm> References: <20190702192304.31955-1-lucas.demarchi@intel.com> <20190703121416.GD7784@kroah.com> <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20190703162403.yyejmv6al3f6bvn7@ldmartin-desk1> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Wed, Jul 03, 2019 at 09:24:03AM -0700, Lucas De Marchi wrote: >On Wed, Jul 03, 2019 at 02:14:16PM +0200, Greg KH wrote: >>On Tue, Jul 02, 2019 at 12:23:04PM -0700, Lucas De Marchi wrote: >>>commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream. >>> >>>While loading the DMC firmware we were double checking the headers made >>>sense, but in no place we checked that we were actually reading memory >>>we were supposed to. This could be wrong in case the firmware file is >>>truncated or malformed. >>> >>>Before this patch: >>> # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin >>> -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin >>> # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin >>> # modprobe i915 >>> # dmesg| grep -i dmc >>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin >>> [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) >>> >>>i.e. it loads random data. Now it fails like below: >>> [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin >>> [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. >>> i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. >>> i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 >>> >>>Before reading any part of the firmware file, validate the input first. >>> >>>Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") >>>Signed-off-by: Lucas De Marchi >>>Reviewed-by: Rodrigo Vivi >>>Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com >>>(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) >>>Signed-off-by: Jani Nikula >>>[ Lucas: backported to 4.9+ adjusting the context ] >>>Cc: stable@vger.kernel.org # v4.9+ >> >>What about a 4.14.y and 4.19.y backport as well? I can't take this >>without those as we do not want people to upgrade and have a regression. > >The documentation about stable process explicitely says the meaning of >the tag is 'For each "-stable" tree starting with the specified >version.'. I tried to make it clear by using the '+' suffix as I saw in >other commits in stable tree. > >This patch applies cleanly to 4.9, 4.14 and 4.19. This commit is already >applied in 5.1 as it didn't need any backport. That was the intention, let me >know if that is not the proper way. > >The only missing stable is 4.4, but that needs more changes to the >patch. This works, I've queued it up for 4.9-4.19, thank you! -- Thanks, Sasha