From: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Thierry Reding
<thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Mikko Perttunen <cyndis-/1wQRMveznE@public.gmane.org>
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
DRI Development
<dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org>,
Erik Faye-Lund
<kusmabite-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: [PATCH 04/22] drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL
Date: Tue, 23 May 2017 03:14:19 +0300 [thread overview]
Message-ID: <801e3023e6fe11744c7e675ca7b9c5890e3210f2.1495498184.git.digetx@gmail.com> (raw)
In-Reply-To: <cover.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
In-Reply-To: <cover.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
If commands buffer claims a number of words that is higher than its BO can
fit, a kernel OOPS will be fired on the out-of-bounds BO access. This was
triggered by an opentegra Xorg driver that erroneously pushed too many
commands to the pushbuf.
The CMDA commands buffer address is 4 bytes aligned, so check its alignment.
The maximum number of the CDMA gather fetches is 16383, add a check for it.
Add a sanity check for the relocations in a same way.
[ 46.829393] Unable to handle kernel paging request at virtual address f09b2000
...
[<c04a3ba4>] (host1x_job_pin) from [<c04dfcd0>] (tegra_drm_submit+0x474/0x510)
[<c04dfcd0>] (tegra_drm_submit) from [<c04deea0>] (tegra_submit+0x50/0x6c)
[<c04deea0>] (tegra_submit) from [<c04c07c0>] (drm_ioctl+0x1e4/0x3ec)
[<c04c07c0>] (drm_ioctl) from [<c02541a0>] (do_vfs_ioctl+0x9c/0x8e4)
[<c02541a0>] (do_vfs_ioctl) from [<c0254a1c>] (SyS_ioctl+0x34/0x5c)
[<c0254a1c>] (SyS_ioctl) from [<c0107640>] (ret_fast_syscall+0x0/0x3c)
Signed-off-by: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Reviewed-by: Erik Faye-Lund <kusmabite-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
drivers/gpu/drm/tegra/drm.c | 48 +++++++++++++++++++++++++++++++++++++++++++++
drivers/gpu/drm/tegra/gem.c | 5 -----
drivers/gpu/drm/tegra/gem.h | 5 +++++
3 files changed, 53 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index f9282da94a1f..7e4559ec824d 100644
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -26,6 +26,7 @@
#define DRIVER_PATCHLEVEL 0
#define CARVEOUT_SZ SZ_64M
+#define CDMA_GATHER_FETCHES_MAX_NB 16383
struct tegra_drm_file {
struct idr contexts;
@@ -383,18 +384,41 @@ int tegra_drm_submit(struct tegra_drm_context *context,
while (num_cmdbufs) {
struct drm_tegra_cmdbuf cmdbuf;
struct host1x_bo *bo;
+ struct tegra_bo *obj;
+ u64 offset;
if (copy_from_user(&cmdbuf, cmdbufs, sizeof(cmdbuf))) {
err = -EFAULT;
goto fail;
}
+ /*
+ * The maximum number of CDMA gather fetches is 16383, a higher
+ * value means the words count is malformed.
+ */
+ if (cmdbuf.words > CDMA_GATHER_FETCHES_MAX_NB) {
+ err = -EINVAL;
+ goto fail;
+ }
+
bo = host1x_bo_lookup(file, cmdbuf.handle);
if (!bo) {
err = -ENOENT;
goto fail;
}
+ offset = (u64)cmdbuf.offset + (u64)cmdbuf.words * sizeof(u32);
+ obj = host1x_to_tegra_bo(bo);
+
+ /*
+ * The CDMA base address if 4-bytes aligned, unaligned offset
+ * is malformed.
+ */
+ if (offset & 3 || offset >= obj->gem.size) {
+ err = -EINVAL;
+ goto fail;
+ }
+
host1x_job_add_gather(job, bo, cmdbuf.words, cmdbuf.offset);
num_cmdbufs--;
cmdbufs++;
@@ -402,11 +426,35 @@ int tegra_drm_submit(struct tegra_drm_context *context,
/* copy and resolve relocations from submit */
while (num_relocs--) {
+ struct host1x_reloc *reloc;
+ struct tegra_bo *obj;
+
err = host1x_reloc_copy_from_user(&job->relocarray[num_relocs],
&relocs[num_relocs], drm,
file);
if (err < 0)
goto fail;
+
+ reloc = &job->relocarray[num_relocs];
+ obj = host1x_to_tegra_bo(reloc->cmdbuf.bo);
+
+ /*
+ * The unaligned cmdbuf offset will cause an unaligned write
+ * during of the relocations patching, corrupting the commands
+ * stream.
+ */
+ if (reloc->cmdbuf.offset & 3 ||
+ reloc->cmdbuf.offset >= obj->gem.size) {
+ err = -EINVAL;
+ goto fail;
+ }
+
+ obj = host1x_to_tegra_bo(reloc->target.bo);
+
+ if (reloc->target.offset >= obj->gem.size) {
+ err = -EINVAL;
+ goto fail;
+ }
}
if (copy_from_user(job->waitchk, waitchks,
diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
index ca0d4439e97b..6a855b2f07fb 100644
--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -20,11 +20,6 @@
#include "drm.h"
#include "gem.h"
-static inline struct tegra_bo *host1x_to_tegra_bo(struct host1x_bo *bo)
-{
- return container_of(bo, struct tegra_bo, base);
-}
-
static void tegra_bo_put(struct host1x_bo *bo)
{
struct tegra_bo *obj = host1x_to_tegra_bo(bo);
diff --git a/drivers/gpu/drm/tegra/gem.h b/drivers/gpu/drm/tegra/gem.h
index 6c5f12ac0087..8b32a6fd586d 100644
--- a/drivers/gpu/drm/tegra/gem.h
+++ b/drivers/gpu/drm/tegra/gem.h
@@ -52,6 +52,11 @@ static inline struct tegra_bo *to_tegra_bo(struct drm_gem_object *gem)
return container_of(gem, struct tegra_bo, gem);
}
+static inline struct tegra_bo *host1x_to_tegra_bo(struct host1x_bo *bo)
+{
+ return container_of(bo, struct tegra_bo, base);
+}
+
struct tegra_bo *tegra_bo_create(struct drm_device *drm, size_t size,
unsigned long flags);
struct tegra_bo *tegra_bo_create_with_handle(struct drm_file *file,
--
2.13.0
next prev parent reply other threads:[~2017-05-23 0:14 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-23 0:14 [PATCH 00/22] Tegra DRM fixes Dmitry Osipenko
[not found] ` <cover.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:14 ` [PATCH 01/22] drm/tegra: Fix lockup on a use of staging API Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 02/22] drm/tegra: Correct idr_alloc() minimum id Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 03/22] drm/tegra: Check whether page belongs to BO in tegra_bo_kmap() Dmitry Osipenko
[not found] ` <04637a55694493bdd8267a7f19798d7968568087.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:21 ` Erik Faye-Lund
2017-06-01 18:01 ` Mikko Perttunen
[not found] ` <451c46eb-7e5e-8f3a-9197-adffba014559-/1wQRMveznE@public.gmane.org>
2017-06-01 18:32 ` Dmitry Osipenko
2017-05-23 0:14 ` Dmitry Osipenko [this message]
[not found] ` <801e3023e6fe11744c7e675ca7b9c5890e3210f2.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-31 18:39 ` [PATCH 04/22] drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL Mikko Perttunen
2017-05-23 0:14 ` [PATCH 05/22] drm/tegra: Correct copying of waitchecks and disable them " Dmitry Osipenko
[not found] ` <380fc14d114ac9abb15e447c90a4363913d34a52.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-31 18:43 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 06/22] drm/tegra: Check syncpoint ID " Dmitry Osipenko
[not found] ` <f116e4fbab1391ed59a7401f2838e95bcc3025d9.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-31 18:46 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 07/22] drm/tegra: Remove module ownership from the tegra_fb_ops Dmitry Osipenko
2017-06-13 13:43 ` Thierry Reding
[not found] ` <20170613134340.GG16758-m5CkvRiFyV9wFLYp8hBm2A@public.gmane.org>
2017-06-13 14:00 ` Dmitry Osipenko
[not found] ` <827dcffe-b25c-75b1-d988-5977de1dd83f-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-13 15:07 ` Thierry Reding
[not found] ` <20170613150720.GD20577-m5CkvRiFyV9wFLYp8hBm2A@public.gmane.org>
2017-06-13 17:39 ` Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 08/22] drm/tegra: dc: Drop the reset asserts to workaround a bug Dmitry Osipenko
[not found] ` <35e1ef44da98701b2c507c31ecc0812530303d2d.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-13 13:45 ` Thierry Reding
[not found] ` <20170613134546.GH16758-m5CkvRiFyV9wFLYp8hBm2A@public.gmane.org>
2017-06-13 14:18 ` Dmitry Osipenko
[not found] ` <8d131ad2-5d1a-635e-4a6c-73b69cbf8e72-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-13 15:07 ` Thierry Reding
2017-05-23 0:14 ` [PATCH 09/22] drm/tegra: dc: Apply clipping to the plane Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 10/22] drm/tegra: Disable plane if it is invisible Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 11/22] gpu: host1x: Initialize firewall class to the jobs one Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 12/22] gpu: host1x: Correct host1x_job_pin() error handling Dmitry Osipenko
[not found] ` <a153e811388386c26d21e26ac4deb72a4d01ae74.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:32 ` Erik Faye-Lund
2017-05-31 18:50 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 13/22] gpu: host1x: Do not leak BO's phys address to userspace Dmitry Osipenko
[not found] ` <0a7594fdecc4298f684ed55fda5c5b1be9c443ec.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-13 17:31 ` Mikko Perttunen
[not found] ` <00e5e6d5-def4-a4f6-df93-9505be13c4be-/1wQRMveznE@public.gmane.org>
2017-06-13 18:21 ` Dmitry Osipenko
[not found] ` <5e197807-ef57-604f-879d-7be691785a60-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-13 19:03 ` Mikko Perttunen
[not found] ` <3c0df318-d1d9-60fc-81e4-0cfa871b28e1-/1wQRMveznE@public.gmane.org>
2017-06-13 19:56 ` Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 14/22] gpu: host1x: Forbid relocation address shifting in the firewall Dmitry Osipenko
[not found] ` <15311f1c044c3ff26624e2a980b0c477b1cf33b2.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:33 ` Erik Faye-Lund
2017-05-23 10:14 ` Mikko Perttunen
[not found] ` <3c5d7896-6753-78c5-5a74-25061244acff-/1wQRMveznE@public.gmane.org>
2017-05-23 10:58 ` Dmitry Osipenko
[not found] ` <b481d7f3-d82a-407b-4eb0-6ed24ca32199-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 11:19 ` Mikko Perttunen
[not found] ` <d5197c08-516b-0687-e2ec-61adda99caa1-/1wQRMveznE@public.gmane.org>
2017-05-23 11:28 ` Dmitry Osipenko
2017-06-01 17:39 ` Mikko Perttunen
[not found] ` <56ee62e7-a53b-0270-837a-2ae6f0a848cc-/1wQRMveznE@public.gmane.org>
2017-06-01 18:37 ` Dmitry Osipenko
[not found] ` <0a4181f5-2e19-31ed-2a8b-3314a0481c81-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 18:44 ` Dmitry Osipenko
[not found] ` <58379261-a17a-fc59-e29b-c670eafbbce5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 18:51 ` Mikko Perttunen
[not found] ` <34b2d0b4-0e53-98b6-6859-34b8f3e32251-/1wQRMveznE@public.gmane.org>
2017-06-01 19:15 ` Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 15/22] gpu: host1x: Forbid RESTART opcode " Dmitry Osipenko
[not found] ` <b214fc1c2e3952511eb97a404795b786c08bdeed.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 17:41 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 16/22] gpu: host1x: Forbid unrelated SETCLASS " Dmitry Osipenko
[not found] ` <741d3bbfb74b5455e016164a3a30d9e3101bdc24.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:39 ` Erik Faye-Lund
[not found] ` <CABPQNSbEXGHUv8kHr2sLjOLrVAiNXdStKUapMZX+CX5RWi0cfg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-23 0:45 ` Dmitry Osipenko
2017-06-13 14:06 ` Thierry Reding
[not found] ` <20170613140653.GI16758-m5CkvRiFyV9wFLYp8hBm2A@public.gmane.org>
2017-06-13 14:15 ` Dmitry Osipenko
2017-06-01 17:46 ` Mikko Perttunen
[not found] ` <11a042e3-a220-556f-ecdb-a2d9f93910eb-/1wQRMveznE@public.gmane.org>
2017-06-01 18:36 ` Dmitry Osipenko
2017-05-23 0:14 ` [PATCH 17/22] gpu: host1x: Check waits " Dmitry Osipenko
[not found] ` <1c406c0f1ed144abb3d4b5f52272c5cd6faa2d3a.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 17:51 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 18/22] gpu: host1x: Remove unused 'struct host1x_cmdbuf' Dmitry Osipenko
2017-05-23 0:42 ` Erik Faye-Lund
[not found] ` <f744341274b5749761550d14e37cac57cd0e63fc.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 17:52 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 19/22] gpu: host1x: Remove unused host1x_cdma_stop() definition Dmitry Osipenko
2017-05-23 0:43 ` Erik Faye-Lund
[not found] ` <2c22b2d1cedcfe75f66aa8500c2b9425e10724d0.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 17:52 ` Mikko Perttunen
2017-05-23 0:14 ` [PATCH 20/22] gpu: host1x: Refactor channel allocation code Dmitry Osipenko
2017-05-23 0:16 ` [PATCH 21/22] drm/tegra: Don't use IOMMU on Tegra20 Dmitry Osipenko
[not found] ` <fb3b357fbbdf61a20609f38a817c3f45ebc238fc.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-23 0:16 ` [PATCH 22/22] Revert "iommu/tegra: gart: Do not register with bus" Dmitry Osipenko
[not found] ` <781477cf9ac61301e639f71236d65a8b31586827.1495498184.git.digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-30 9:21 ` Joerg Roedel
2017-05-30 9:21 ` [PATCH 21/22] drm/tegra: Don't use IOMMU on Tegra20 Joerg Roedel
[not found] ` <20170530092109.GA2818-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>
2017-05-30 10:08 ` Dmitry Osipenko
2017-06-01 8:36 ` Dmitry Osipenko
[not found] ` <a61919f1-df1f-9cd0-3059-53daa3a88ff7-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-06-01 17:57 ` Mikko Perttunen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=801e3023e6fe11744c7e675ca7b9c5890e3210f2.1495498184.git.digetx@gmail.com \
--to=digetx-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=cyndis-/1wQRMveznE@public.gmane.org \
--cc=dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
--cc=kusmabite-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).