Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0913eab6 authored by Dan Carpenter's avatar Dan Carpenter Committed by Alex Deucher
Browse files

drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl() 



There is no limit on args->data.data_size_bytes so we could read beyond
the end of the args->data.data[] array.

Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent 0d2edd37

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c

+5 −0
Original line number Diff line number Diff line
@@ -427,6 +427,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data, 
					   &args->data.data_size_bytes,

					   &args->data.flags);

	} else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {

		if (args->data.data_size_bytes > sizeof(args->data.data)) {

			r = -EINVAL;

			goto unreserve;

		}

		r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);

		if (!r)

			r = amdgpu_bo_set_metadata(robj, args->data.data,
@@ -434,6 +438,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data, 
						   args->data.flags);

	}



unreserve:

	amdgpu_bo_unreserve(robj);

out:

	drm_gem_object_unreference_unlocked(gobj);