提交 a27bb4b2 编写于 作者: M Marek Olšák 提交者: Dave Airlie

drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and bump array limit

To my knowledge, the limit is 16 on r300.
(the docs don't say what the limit is)

The lack of bounds checking can be abused to do all sorts of things
(from bypassing parts of the CS checker to crashing the kernel).

Bugzilla:
https://bugs.freedesktop.org/show_bug.cgi?id=36745

Cc: stable@kernel.org
Signed-off-by: NMarek Olšák <maraeo@gmail.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>
上级 ab21e60b
...@@ -63,7 +63,7 @@ struct r100_cs_track { ...@@ -63,7 +63,7 @@ struct r100_cs_track {
unsigned num_arrays; unsigned num_arrays;
unsigned max_indx; unsigned max_indx;
unsigned color_channel_mask; unsigned color_channel_mask;
struct r100_cs_track_array arrays[11]; struct r100_cs_track_array arrays[16];
struct r100_cs_track_cb cb[R300_MAX_CB]; struct r100_cs_track_cb cb[R300_MAX_CB];
struct r100_cs_track_cb zb; struct r100_cs_track_cb zb;
struct r100_cs_track_cb aa; struct r100_cs_track_cb aa;
...@@ -146,6 +146,12 @@ static inline int r100_packet3_load_vbpntr(struct radeon_cs_parser *p, ...@@ -146,6 +146,12 @@ static inline int r100_packet3_load_vbpntr(struct radeon_cs_parser *p,
ib = p->ib->ptr; ib = p->ib->ptr;
track = (struct r100_cs_track *)p->track; track = (struct r100_cs_track *)p->track;
c = radeon_get_ib_value(p, idx++) & 0x1F; c = radeon_get_ib_value(p, idx++) & 0x1F;
if (c > 16) {
DRM_ERROR("Only 16 vertex buffers are allowed %d\n",
pkt->opcode);
r100_cs_dump_packet(p, pkt);
return -EINVAL;
}
track->num_arrays = c; track->num_arrays = c;
for (i = 0; i < (c - 1); i+=2, idx+=3) { for (i = 0; i < (c - 1); i+=2, idx+=3) {
r = r100_cs_packet_next_reloc(p, &reloc); r = r100_cs_packet_next_reloc(p, &reloc);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册