[PATCH] drm: Validate requested virtual size against allocated fb size

Daniel Vetter daniel at ffwll.ch
Sat Mar 31 14:20:53 PDT 2012 

On Mon, Mar 26, 2012 at 09:15:53PM +0100, Chris Wilson wrote:
> mplayer -vo fbdev tries to create a screen that is twice as tall as the
> allocated framebuffer for "doublebuffering". By default, and all in-tree
> users, only sufficient memory is allocated and mapped to satisfy the
> smallest framebuffer and the virtual size is no larger than the actual.
> For these users, we should therefore reject any userspace request to
> create a screen that requires a buffer larger than the framebuffer
> originally allocated.
> 
> References: https://bugs.freedesktop.org/show_bug.cgi?id=38138
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Cc: stable at kernel.org

Given that this is user-exploitable (at least for userspace that tries to
do stupid tricks with fbdev), I think this should go in through drm-fixes.
Dave?
-Daniel

> ---
>  drivers/gpu/drm/drm_fb_helper.c |    8 ++++++--
>  1 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index 7740dd2..a0d6e89 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -559,9 +559,13 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var,
>  		return -EINVAL;
>  
>  	/* Need to resize the fb object !!! */
> -	if (var->bits_per_pixel > fb->bits_per_pixel || var->xres > fb->width || var->yres > fb->height) {
> +	if (var->bits_per_pixel > fb->bits_per_pixel ||
> +	    var->xres > fb->width || var->yres > fb->height ||
> +	    var->xres_virtual > fb->width || var->yres_virtual > fb->height) {
>  		DRM_DEBUG("fb userspace requested width/height/bpp is greater than current fb "
> -			  "object %dx%d-%d > %dx%d-%d\n", var->xres, var->yres, var->bits_per_pixel,
> +			  "request %dx%d-%d (virtual %dx%d) > %dx%d-%d\n",
> +			  var->xres, var->yres, var->bits_per_pixel,
> +			  var->xres_virtual, var->yres_virtual,
>  			  fb->width, fb->height, fb->bits_per_pixel);
>  		return -EINVAL;
>  	}
> -- 
> 1.7.9.1
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Mail: daniel at ffwll.ch
Mobile: +41 (0)79 365 57 48

More information about the dri-devel mailing list