[PATCH] drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()

[Pan, Xinhui]

do you mean that something like 1<<65 might be a none zero value?
________________________________
From: Dan Carpenter <dan.carpenter at oracle.com>
Sent: Saturday, June 8, 2019 5:23:57 PM
To: Deucher, Alexander; Pan, Xinhui
Cc: Koenig, Christian; Zhou, David(ChunMing); David Airlie; Daniel Vetter; Quan, Evan; Zhu, James; amd-gfx at lists.freedesktop.org; dri-devel at lists.freedesktop.org; kernel-janitors at vger.kernel.org
Subject: [PATCH] drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()

The "block" variable can be set by the user through debugfs, so it can
be quite large which leads to shift wrapping here.  This means we report
a "block" as supported when it's not, and that leads to array overflows
later on.

This bug is not really a security issue in real life, because debugfs is
generally root only.

Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node")
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
index c6b34fbd695f..94c652f5265a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
@@ -173,6 +173,8 @@ static inline int amdgpu_ras_is_supported(struct amdgpu_device *adev,
 {
         struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);

+       if (block >= AMDGPU_RAS_BLOCK_COUNT)
+               return 0;
         return ras && (ras->supported & (1 << block));
 }

--
2.20.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/amd-gfx/attachments/20190608/965b8e9c/attachment.html>