Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a27bb4b2 authored by Marek Olšák's avatar Marek Olšák Committed by Dave Airlie
Browse files

drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and bump array limit 

To my knowledge, the limit is 16 on r300.
(the docs don't say what the limit is)

The lack of bounds checking can be abused to do all sorts of things
(from bypassing parts of the CS checker to crashing the kernel).

Bugzilla:
https://bugs.freedesktop.org/show_bug.cgi?id=36745



Cc: stable@kernel.org
Signed-off-by: default avatarMarek Olšák <maraeo@gmail.com>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent ab21e60b

drivers/gpu/drm/radeon/r100_track.h

+7 −1
Original line number Original line Diff line number Diff line
@@ -63,7 +63,7 @@ struct r100_cs_track { 
	unsigned			num_arrays;

	unsigned			num_arrays;

	unsigned			max_indx;

	unsigned			max_indx;

	unsigned			color_channel_mask;

	unsigned			color_channel_mask;

	struct r100_cs_track_array	arrays[11];

	struct r100_cs_track_array	arrays[16];

	struct r100_cs_track_cb 	cb[R300_MAX_CB];

	struct r100_cs_track_cb 	cb[R300_MAX_CB];

	struct r100_cs_track_cb 	zb;

	struct r100_cs_track_cb 	zb;

	struct r100_cs_track_cb 	aa;

	struct r100_cs_track_cb 	aa;
@@ -146,6 +146,12 @@ static inline int r100_packet3_load_vbpntr(struct radeon_cs_parser *p, 
	ib = p->ib->ptr;

	ib = p->ib->ptr;

	track = (struct r100_cs_track *)p->track;

	track = (struct r100_cs_track *)p->track;

	c = radeon_get_ib_value(p, idx++) & 0x1F;

	c = radeon_get_ib_value(p, idx++) & 0x1F;

	if (c > 16) {

	    DRM_ERROR("Only 16 vertex buffers are allowed %d\n",

		      pkt->opcode);

	    r100_cs_dump_packet(p, pkt);

	    return -EINVAL;

	}

	track->num_arrays = c;

	track->num_arrays = c;

	for (i = 0; i < (c - 1); i+=2, idx+=3) {

	for (i = 0; i < (c - 1); i+=2, idx+=3) {

		r = r100_cs_packet_next_reloc(p, &reloc);

		r = r100_cs_packet_next_reloc(p, &reloc);