From patchwork Sun Dec 23 21:52:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10742173 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5EC3C6C2 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E62A28C13 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 42AB928C15; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0238428C13 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 97BF36E57F; Mon, 24 Dec 2018 10:52:14 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8A0716E52A for ; Sun, 23 Dec 2018 21:52:54 +0000 (UTC) Received: by mail-it1-x141.google.com with SMTP id w18so13997135ite.1 for ; Sun, 23 Dec 2018 13:52:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=C4T60ebSd3XIwaQkfiltqImM3j39ie8rJCcw2QWQ+cE=; b=nW2DEYSTTWhtfgn+h/9+gjJAJ7nV7uKYYmPh+lVqG7yu5/R8OnosgbgbRmz7QhTGcf BpKzx0I8Fk5CkEQ07bY1YAE+srK2DsquTirkXkUXahuz8WyzlcVNGtOYkYsGozwlyQhj BQqBe1dO2Q3zkMqE38BJMMyspJDimPzsJ+U3NLD8SMefxpSQdny1WyBS84YIDYO/eeke 4ejw7lba6n5BRKF6O0TTf/PX5QUh/xFyD/f3Ki76kFYo4B4i82oNkf21h0F3whQZwqVC tVcS5tPCI2O2QcqdbEoxOvDgb1mWreIQRNHAmbMjLMgtul1AW5E/RZwAORsg3JMFZG0a dxWQ== X-Gm-Message-State: AA+aEWZWBAI7HoOOHwCq54eFepvStIPv3DTwKhe6lHCE9pgTgPB/xwME t3b0M0RcF9tYUuO2b0v658eZpQ== X-Google-Smtp-Source: ALg8bN5eaPeMB6wtGxTyPsVHIjBWbJ3noWa+b7wMn1wFlFQ6EWxGO3Y1wQN6EW3JzLyfmKWVWfrm1g== X-Received: by 2002:a24:878c:: with SMTP id f134mr7405915ite.81.1545601973690; Sun, 23 Dec 2018 13:52:53 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id v74sm10386881ita.27.2018.12.23.13.52.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Dec 2018 13:52:53 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v4 2/2] drm/amd: validate user GEM object size Date: Sun, 23 Dec 2018 14:52:39 -0700 Message-Id: <20181223215239.173339-2-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181223215239.173339-1-yuzhao@google.com> References: <20181222192712.9420-1-yuzhao@google.com> <20181223215239.173339-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 24 Dec 2018 10:52:02 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP When creating frame buffer, userspace may request to attach to a previously allocated GEM object that is smaller than what GPU requires. Validation must be done to prevent out-of-bound DMA, which could not only corrupt memory but also reveal sensitive data. This fix is not done in a common code path because individual driver might have different requirement. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index af0626a2b528..9aa23cb20873 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + int height; struct amdgpu_device *adev = dev->dev_private; int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); @@ -550,6 +551,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, return ERR_PTR(-EINVAL); } + height = ALIGN(mode_cmd->height, 8); + if (obj->size < pitch * height) { + DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n", + pitch * height, obj->size); + return ERR_PTR(-EINVAL); + } + amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL); if (amdgpu_fb == NULL) { drm_gem_object_put_unlocked(obj);