Message ID | 1539880933-6887-1-git-send-email-wang6495@umn.edu (mailing list archive) |
---|---|
State | New, archived |
Headers | show
Return-Path: <dri-devel-bounces@lists.freedesktop.org> Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 549F313B0 for <patchwork-dri-devel@patchwork.kernel.org>; Thu, 18 Oct 2018 23:10:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4519328D12 for <patchwork-dri-devel@patchwork.kernel.org>; Thu, 18 Oct 2018 23:10:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3965328D14; Thu, 18 Oct 2018 23:10:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A247428D12 for <patchwork-dri-devel@patchwork.kernel.org>; Thu, 18 Oct 2018 23:10:31 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 30F916E134; Thu, 18 Oct 2018 23:10:27 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org X-Greylist: delayed 360 seconds by postgrey-1.36 at gabe; Thu, 18 Oct 2018 16:48:27 UTC Received: from mta-p6.oit.umn.edu (mta-p6.oit.umn.edu [134.84.196.206]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8D5E589394 for <dri-devel@lists.freedesktop.org>; Thu, 18 Oct 2018 16:48:27 +0000 (UTC) Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 50138CBD for <dri-devel@lists.freedesktop.org>; Thu, 18 Oct 2018 16:42:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uduftyw6Rs7 for <dri-devel@lists.freedesktop.org>; Thu, 18 Oct 2018 11:42:27 -0500 (CDT) Received: from mail-it1-f197.google.com (mail-it1-f197.google.com [209.85.166.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 2BEDBCA5 for <dri-devel@lists.freedesktop.org>; Thu, 18 Oct 2018 11:42:26 -0500 (CDT) Received: by mail-it1-f197.google.com with SMTP id p73-v6so820015itb.0 for <dri-devel@lists.freedesktop.org>; Thu, 18 Oct 2018 09:42:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+6q/uH4W6v4LdhrFbX/XCjOkBm43DLpRJ706h4X3hkw=; b=Ct9njajIQzLju0mvtP6bGUAPnwwbpmf8MONXX0qpPIEUGmehvEJe3+EW5m4gm1CSn0 mLlo0TEAMwZlVytYI5ry26fkOTFJ4s8KsR/BaS/V3vuiFI4qFsr/l/Iyzfpyj+Iujql5 SxdA2fMyVuzjvkx1DBQyYnBto23h3N/uv9YtpZuEtCYID2nd3iH22GdxqLDcfIfqms9N 4YNb/nKS4rNS/6HbCUkFZDpwZe6QlWcaTKWMTkcredN8f85i7ZpyzhrMjRRdIj2vnBMN PcFDz+VIt9VsmP1+//1bD7yIVLT/f5CUrw2t2nZ9e/ic6gKbKexkgx/01CVOjB0mb8tU Pl5A== X-Gm-Message-State: AGRZ1gLcJgvxE1lOHYDgBNBAuOKTDxOWQfTk24drI2GzL37bjYZcD4tW WJ3ssnVSfKTgqn42Sr+vmg2Xtovog8tesFM9APHDNPY90qaSR4/J2OlDKxt5FW2naNq5670yV0e aVktazO686fJnEzT4QwgO6LkM65GoiKqA X-Received: by 2002:a6b:cc02:: with SMTP id c2-v6mr673387iog.180.1539880945960; Thu, 18 Oct 2018 09:42:25 -0700 (PDT) X-Google-Smtp-Source: AJdET5cN7nDLtd+Wp2PQT09lOStJWfGkHXOHHgvr50Y1QPespg7ONJzk8XBnBwr0D0FsB57jAPXf2g== X-Received: by 2002:a6b:cc02:: with SMTP id c2-v6mr673378iog.180.1539880945765; Thu, 18 Oct 2018 09:42:25 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id h10-v6sm6486246iom.67.2018.10.18.09.42.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 Oct 2018 09:42:24 -0700 (PDT) From: Wenwen Wang <wang6495@umn.edu> To: Wenwen Wang <wang6495@umn.edu> Subject: [PATCH] drm/radeon: fix a missing-check bug Date: Thu, 18 Oct 2018 11:42:13 -0500 Message-Id: <1539880933-6887-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 X-Mailman-Approved-At: Thu, 18 Oct 2018 23:10:26 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development <dri-devel.lists.freedesktop.org> List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>, <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe> List-Archive: <https://lists.freedesktop.org/archives/dri-devel> List-Post: <mailto:dri-devel@lists.freedesktop.org> List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help> List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>, <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe> Cc: David Airlie <airlied@linux.ie>, Kangjie Lu <kjlu@umn.edu>, open list <linux-kernel@vger.kernel.org>, "open list:RADEON and AMDGPU DRM DRIVERS" <amd-gfx@lists.freedesktop.org>, "open list:DRM DRIVERS" <dri-devel@lists.freedesktop.org>, Alex Deucher <alexander.deucher@amd.com>, =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org> X-Virus-Scanned: ClamAV using ClamSMTP |
Series |
drm/radeon: fix a missing-check bug
|
expand
|
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c index 04c0ed4..d8304fa 100644 --- a/drivers/gpu/drm/radeon/radeon_bios.c +++ b/drivers/gpu/drm/radeon/radeon_bios.c @@ -69,6 +69,8 @@ static bool igp_read_bios_from_vram(struct radeon_device *rdev) return false; } memcpy_fromio(rdev->bios, bios, size); + rdev->bios[0] = 0x55; + rdev->bios[1] = 0xaa; iounmap(bios); return true; }
In igp_read_bios_from_vram(), the start of vram is firstly remapped to the IO memory region 'bios' through ioremap(). Then the size and values of 'bios' are checked. For example, 'bios[0]' is compared against 0x55 and 'bios[1]' is compared against 0xaa. If no error happens during this checking process, the whole data in 'bios' is then copied to 'rdev->bios' through memcpy_fromio(). The problem here is that the checks are performed on 'bios' directly. Given that the IO memory region can also be accessed by the device, it is possible that a malicious device race to modify 'bios[0]' and/or 'bios[1]' after the checks but before memcpy_fromio(). This can cause undefined behavior of the kernel and potentially introduce security risk, especially when the device can be controlled by attackers. This patch avoids the above issue by rewriting the first two bytes of 'rdev->bios' after memcpy_fromio() with expected values. Signed-off-by: Wenwen Wang <wang6495@umn.edu> --- drivers/gpu/drm/radeon/radeon_bios.c | 2 ++ 1 file changed, 2 insertions(+)