drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()

There is no limit on args->data.data_size_bytes so we could read beyond the end of the args->data.data[] array. Reviewed-by: N Christian König <christian.koenig@amd.com> Reported-by: N Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Alex Deucher <alexander.deucher@amd.com>

drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()
There is no limit on args->data.data_size_bytes so we could read beyond the end of the args->data.data[] array. Reviewed-by: N Christian König <christian.koenig@amd.com> Reported-by: N Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Alex Deucher <alexander.deucher@amd.com>
0913eab6 · Dan Carpenter · Alex Deucher · 0d2edd37 · 0913eab6
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +5 -0

未找到文件。
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -427,6 +427,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
 					   &args->data.data_size_bytes,
 					   &args->data.flags);
 	} else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {
+		if (args->data.data_size_bytes > sizeof(args->data.data)) {
+			r = -EINVAL;
+			goto unreserve;
+		}
 		r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);
 		if (!r)
 			r = amdgpu_bo_set_metadata(robj, args->data.data,
@@ -434,6 +438,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
 						   args->data.flags);
 	}

+unreserve:
 	amdgpu_bo_unreserve(robj);
 out:
 	drm_gem_object_unreference_unlocked(gobj);