From: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
To: Joonyoung Shim <jy0922.shim@samsung.com>,
dri-devel@lists.freedesktop.org
Cc: linux-samsung-soc@vger.kernel.org, sw0312.kim@samsung.com
Subject: Re: [PATCH] drm/exynos: g2d: fix overflow of cmdlist size
Date: Tue, 17 Jan 2017 15:24:34 +0100 [thread overview]
Message-ID: <587E2922.10805@math.uni-bielefeld.de> (raw)
In-Reply-To: <1484628126-21671-1-git-send-email-jy0922.shim@samsung.com>
Joonyoung Shim wrote:
> The size of cmdlist is integer type, so it can be overflowed by cmd and
> cmd_buf that has too big size. This patch will fix overflow issue as
> checking maximum size of cmd and cmd_buf.
I don't understand/see the issue here. Could you point out for which
input of the set_cmdlist ioctl you see this particular overflow?
In particular it is not clear to me which size field you're talking
about. struct g2d_cmdlist does not have any field named 'size'.
With best wishes,
Tobias
> Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
> ---
> drivers/gpu/drm/exynos/exynos_drm_g2d.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
> index fbd13fa..b31244f 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
> @@ -1250,7 +1250,14 @@ int exynos_g2d_set_cmdlist_ioctl(struct drm_device *drm_dev, void *data,
> cmdlist->data[cmdlist->last++] = G2D_INTEN_ACF;
> }
>
> - /* Check size of cmdlist: last 2 is about G2D_BITBLT_START */
> + /* Check size of cmd and cmdlist: last 2 is about G2D_BITBLT_START */
> + size = (G2D_CMDLIST_DATA_NUM - cmdlist->last - 2) / 2;
> + if (req->cmd_nr > size || req->cmd_buf_nr > size) {
> + dev_err(dev, "size of cmd or cmd_buf is too big\n");
> + ret = -EINVAL;
> + goto err_free_event;
> + }
> +
> size = cmdlist->last + req->cmd_nr * 2 + req->cmd_buf_nr * 2 + 2;
> if (size > G2D_CMDLIST_DATA_NUM) {
> dev_err(dev, "cmdlist size is too big\n");
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2017-01-17 14:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170117044134epcas5p2d0e67623efa7eb0b9a1ad6f8a593f0c4@epcas5p2.samsung.com>
2017-01-17 4:42 ` [PATCH] drm/exynos: g2d: fix overflow of cmdlist size Joonyoung Shim
2017-01-17 14:24 ` Tobias Jakobi [this message]
2017-01-18 0:30 ` Joonyoung Shim
2017-01-19 13:16 ` Tobias Jakobi
2017-01-19 23:53 ` Joonyoung Shim
2017-01-20 16:05 ` Tobias Jakobi
2017-01-23 8:22 ` Joonyoung Shim
2017-01-23 9:10 ` Inki Dae
2017-01-23 12:47 ` Tobias Jakobi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=587E2922.10805@math.uni-bielefeld.de \
--to=tjakobi@math.uni-bielefeld.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=jy0922.shim@samsung.com \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.