<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <div> <div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black"> do you mean that something like 1<<65 might be a none zero value?</div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dan Carpenter <dan.carpenter@oracle.com><br> <b>Sent:</b> Saturday, June 8, 2019 5:23:57 PM<br> <b>To:</b> Deucher, Alexander; Pan, Xinhui<br> <b>Cc:</b> Koenig, Christian; Zhou, David(ChunMing); David Airlie; Daniel Vetter; Quan, Evan; Zhu, James; amd-gfx@lists.freedesktop.org; dri-devel@lists.freedesktop.org; kernel-janitors@vger.kernel.org<br> <b>Subject:</b> [PATCH] drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()</font> <div> </div> </div> </div> <font size="2"><span style="font-size:11pt;"> <div class="PlainText">The "block" variable can be set by the user through debugfs, so it can<br> be quite large which leads to shift wrapping here. This means we report<br> a "block" as supported when it's not, and that leads to array overflows<br> later on.<br> <br> This bug is not really a security issue in real life, because debugfs is<br> generally root only.<br> <br> Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node")<br> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com><br> ---<br> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 2 ++<br> 1 file changed, 2 insertions(+)<br> <br> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h<br> index c6b34fbd695f..94c652f5265a 100644<br> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h<br> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h<br> @@ -173,6 +173,8 @@ static inline int amdgpu_ras_is_supported(struct amdgpu_device *adev,<br> {<br> struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);<br> <br> + if (block >= AMDGPU_RAS_BLOCK_COUNT)<br> + return 0;<br> return ras && (ras->supported & (1 << block));<br> }<br> <br> -- <br> 2.20.1<br> <br> </div> </span></font> </body> </html>