| Message ID | 20180205142916.27092-3-msrb@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Quoting Michal Srb (2018-02-05 14:29:16) > The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is > possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. > In that case check_cmd will read bits from the following command, or even past > the end of the buffer. > > Similarly to how registers are checked - if the offset ends up outside of the > command length, just ignore it. > > Signed-off-by: Michal Srb <msrb@suse.com> > --- > drivers/gpu/drm/i915/i915_cmd_parser.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c > index de7ec59433d1..827740b866a8 100644 > --- a/drivers/gpu/drm/i915/i915_cmd_parser.c > +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c > @@ -1218,6 +1218,9 @@ static bool check_cmd(const struct intel_engine_cs *engine, > continue; > } > > + if (desc->bits[i].offset >= length) > + continue; Should be return false since the command can't be validated. -Chris
diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c index de7ec59433d1..827740b866a8 100644 --- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -1218,6 +1218,9 @@ static bool check_cmd(const struct intel_engine_cs *engine, continue; } + if (desc->bits[i].offset >= length) + continue; + dword = cmd[desc->bits[i].offset] & desc->bits[i].mask;
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. In that case check_cmd will read bits from the following command, or even past the end of the buffer. Similarly to how registers are checked - if the offset ends up outside of the command length, just ignore it. Signed-off-by: Michal Srb <msrb@suse.com> --- drivers/gpu/drm/i915/i915_cmd_parser.c | 3 +++ 1 file changed, 3 insertions(+)