From patchwork Thu Jul 11 09:15:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tvrtko Ursulin X-Patchwork-Id: 13730227 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 396F1C3DA41 for ; Thu, 11 Jul 2024 09:15:50 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 5919D10E9BC; Thu, 11 Jul 2024 09:15:47 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=igalia.com header.i=@igalia.com header.b="He6IfgLi"; dkim-atps=neutral Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) by gabe.freedesktop.org (Postfix) with ESMTPS id 241A110E9BB for ; Thu, 11 Jul 2024 09:15:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FIGyg6oNOF6x6modz3D+rHkGGJr55WEsrfdHTkFerYQ=; b=He6IfgLiXmyQ13eQHDbL4rAkqj EVV2WnlHC3Ca7lN8atl9RQ+moSSJcKzr8WM//u/lMLKYZzOGKCgVe9qdjVkmqJ/JRY0DCjnHZRMB3 tEmE5dlX9kxoQB1VZp3vPlIyWPjfar7zJkl3A9U3qAuliyhwiRZ8PM2295+aUDGEbXJIoHacdi72e vYLDiOTo4hDuhTpFLoVxe6ukEy7nwkTyol4ebJ+7OIkPTRUi33IZg9iukT8RBxr1NbYGMi06i8YM2 UQN8y+gMmE6fzGcrEwVDN+7YDytHOVJZsplaDyB62cq0tIl9OU01XzkgBfCy3OzXTLqO2kMe52kQH JXNwP4og==; Received: from [84.69.19.168] (helo=localhost) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1sRptw-00DcKK-DB; Thu, 11 Jul 2024 11:15:44 +0200 From: Tvrtko Ursulin To: dri-devel@lists.freedesktop.org Cc: =?utf-8?q?Ma=C3=ADra_Canal?= , kernel-dev@igalia.com, Tvrtko Ursulin , Iago Toral Quiroga , stable@vger.kernel.org Subject: [PATCH 01/11] drm/v3d: Prevent out of bounds access in performance query extensions Date: Thu, 11 Jul 2024 10:15:32 +0100 Message-ID: <20240711091542.82083-2-tursulin@igalia.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240711091542.82083-1-tursulin@igalia.com> References: <20240711091542.82083-1-tursulin@igalia.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" From: Tvrtko Ursulin Check that the number of perfmons userspace is passing in the copy and reset extensions is not greater than the internal kernel storage where the ids will be copied into. Signed-off-by: Tvrtko Ursulin Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job" Cc: Maíra Canal Cc: Iago Toral Quiroga Cc: # v6.8+ Reviewed-by: Iago Toral Quiroga Reviewed-by: Maíra Canal --- drivers/gpu/drm/v3d/v3d_submit.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 88f63d526b22..263fefc1d04f 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -637,6 +637,9 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv, if (copy_from_user(&reset, ext, sizeof(reset))) return -EFAULT; + if (reset.nperfmons > V3D_MAX_PERFMONS) + return -EINVAL; + job->job_type = V3D_CPU_JOB_TYPE_RESET_PERFORMANCE_QUERY; job->performance_query.queries = kvmalloc_array(reset.count, @@ -708,6 +711,9 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv, if (copy.pad) return -EINVAL; + if (copy.nperfmons > V3D_MAX_PERFMONS) + return -EINVAL; + job->job_type = V3D_CPU_JOB_TYPE_COPY_PERFORMANCE_QUERY; job->performance_query.queries = kvmalloc_array(copy.count,