[Intel-gfx] [PATCH 09/10] drm/i915/dmc: protect against reading random memory
Lucas De Marchi
lucas.demarchi at intel.com
Thu May 23 19:41:23 UTC 2019
On Thu, May 23, 2019 at 11:58:46AM -0700, Rodrigo Vivi wrote:
>On Thu, May 23, 2019 at 01:24:19AM -0700, Lucas De Marchi wrote:
>> While loading the DMC firmware we were double checking the headers made
>> sense, but in no place we checked that we were actually reading memory
>> we were supposed to. This could be wrong in case the firmware file is
>> truncated.
>>
>> Before parsing any part of the firmware, validate the input first.
>>
>> Signed-off-by: Lucas De Marchi <lucas.demarchi at intel.com>
>
>I wonder if this patch should be the first one on the series
>for easy backport if needed.
yeah, too bad I only noticed after doing the first ones.
This patch as the first one will be very different, but I agree that is
what I need to do.
>Maybe cc: Stable?
yep. I will wait a little more on review and send a new version with
order swapped.
>
>Reviewed-by: Rodrigo Vivi <rodrigo.vivi at intel.com>
thanks
Lucas De Marchi
>
>> ---
>> drivers/gpu/drm/i915/intel_csr.c | 71 ++++++++++++++++++++++++--------
>> 1 file changed, 53 insertions(+), 18 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/i915/intel_csr.c b/drivers/gpu/drm/i915/intel_csr.c
>> index 7ff08de83cc6..b7181ca6c8f5 100644
>> --- a/drivers/gpu/drm/i915/intel_csr.c
>> +++ b/drivers/gpu/drm/i915/intel_csr.c
>> @@ -360,7 +360,8 @@ static u32 find_dmc_fw_offset(const struct intel_fw_info *fw_info,
>> }
>>
>> static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>> - const struct intel_dmc_header_base *dmc_header)
>> + const struct intel_dmc_header_base *dmc_header,
>> + size_t rem_size)
>> {
>> unsigned int header_len_bytes, dmc_header_size, payload_size, i;
>> const u32 *mmioaddr, *mmiodata;
>> @@ -375,6 +376,9 @@ static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>> const struct intel_dmc_header_v3 *v3 =
>> (const struct intel_dmc_header_v3 *)dmc_header;
>>
>> + if (rem_size < sizeof(struct intel_dmc_header_v3))
>> + goto error_truncated;
>> +
>> mmioaddr = v3->mmioaddr;
>> mmiodata = v3->mmiodata;
>> mmio_count = v3->mmio_count;
>> @@ -386,6 +390,9 @@ static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>> const struct intel_dmc_header_v1 *v1 =
>> (const struct intel_dmc_header_v1 *)dmc_header;
>>
>> + if (rem_size < sizeof(struct intel_dmc_header_v1))
>> + goto error_truncated;
>> +
>> mmioaddr = v1->mmioaddr;
>> mmiodata = v1->mmiodata;
>> mmio_count = v1->mmio_count;
>> @@ -404,6 +411,8 @@ static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>> return 0;
>> }
>>
>> + rem_size -= header_len_bytes;
>> +
>> /* Cache the dmc header info. */
>> if (mmio_count > mmio_count_max) {
>> DRM_ERROR("DMC firmware has wrong mmio count %u\n", mmio_count);
>> @@ -424,6 +433,9 @@ static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>>
>> /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */
>> payload_size = dmc_header->fw_size * 4;
>> + if (rem_size < payload_size)
>> + goto error_truncated;
>> +
>> if (payload_size > csr->max_fw_size) {
>> DRM_ERROR("DMC FW too big (%u bytes)\n", payload_size);
>> return 0;
>> @@ -440,16 +452,25 @@ static u32 parse_csr_fw_dmc(struct intel_csr *csr,
>> memcpy(csr->dmc_payload, payload, payload_size);
>>
>> return header_len_bytes + payload_size;
>> +
>> +error_truncated:
>> + DRM_ERROR("Truncated DMC firmware, refusing.\n");
>> + return 0;
>> }
>>
>> static u32
>> parse_csr_fw_package(struct intel_csr *csr,
>> const struct intel_package_header *package_header,
>> - const struct stepping_info *si)
>> + const struct stepping_info *si,
>> + size_t rem_size)
>> {
>> - u32 num_entries, max_entries, dmc_offset, r;
>> + u32 package_size = sizeof(struct intel_package_header);
>> + u32 num_entries, max_entries, dmc_offset;
>> const struct intel_fw_info *fw_info;
>>
>> + if (rem_size < package_size)
>> + goto error_truncated;
>> +
>> if (package_header->header_ver == 1) {
>> max_entries = PACKAGE_MAX_FW_INFO_ENTRIES;
>> } else if (package_header->header_ver == 2) {
>> @@ -460,11 +481,17 @@ parse_csr_fw_package(struct intel_csr *csr,
>> return 0;
>> }
>>
>> - if (package_header->header_len * 4 !=
>> - sizeof(struct intel_package_header) +
>> - max_entries * sizeof(struct intel_fw_info)) {
>> + /*
>> + * We should always have space for max_entries,
>> + * even if not all are used
>> + */
>> + package_size += max_entries * sizeof(struct intel_fw_info);
>> + if (rem_size < package_size)
>> + goto error_truncated;
>> +
>> + if (package_header->header_len * 4 != package_size) {
>> DRM_ERROR("DMC firmware has wrong package header length "
>> - "(%u bytes)\n", package_header->header_len * 4);
>> + "(%u bytes)\n", package_size);
>> return 0;
>> }
>>
>> @@ -481,21 +508,24 @@ parse_csr_fw_package(struct intel_csr *csr,
>> return 0;
>> }
>>
>> - r = sizeof(struct intel_package_header);
>> -
>> - /* we always have space for max_entries, even if not all are used */
>> - r += max_entries * sizeof(struct intel_fw_info);
>> -
>> /* dmc_offset is in dwords */
>> - r += dmc_offset * 4;
>> + return package_size + dmc_offset * 4;
>>
>> - return r;
>> +error_truncated:
>> + DRM_ERROR("Truncated DMC firmware, refusing.\n");
>> + return 0;
>> }
>>
>> /* Return number of bytes parsed or 0 on error */
>> static u32 parse_csr_fw_css(struct intel_csr *csr,
>> - struct intel_css_header *css_header)
>> + struct intel_css_header *css_header,
>> + size_t rem_size)
>> {
>> + if (rem_size < sizeof(struct intel_css_header)) {
>> + DRM_ERROR("Truncated DMC firmware, refusing.\n");
>> + return 0;
>> + }
>> +
>> if (sizeof(struct intel_css_header) !=
>> (css_header->header_len * 4)) {
>> DRM_ERROR("DMC firmware has wrong CSS header length "
>> @@ -530,29 +560,34 @@ static void parse_csr_fw(struct drm_i915_private *dev_priv,
>> const struct stepping_info *si = intel_get_stepping_info(dev_priv);
>> u32 readcount = 0;
>> u32 r;
>> + size_t rem_size;
>>
>> if (!fw)
>> return;
>>
>> + rem_size = fw->size;
>> +
>> /* Extract CSS Header information*/
>> css_header = (struct intel_css_header *)fw->data;
>> - r = parse_csr_fw_css(csr, css_header);
>> + r = parse_csr_fw_css(csr, css_header, rem_size);
>> if (!r)
>> return;
>>
>> + rem_size -= r;
>> readcount += r;
>>
>> /* Extract Package Header information*/
>> package_header = (struct intel_package_header *)&fw->data[readcount];
>> - r = parse_csr_fw_package(csr, package_header, si);
>> + r = parse_csr_fw_package(csr, package_header, si, rem_size);
>> if (!r)
>> return;
>>
>> + rem_size -= r;
>> readcount += r;
>>
>> /* Extract dmc_header information. */
>> dmc_header = (struct intel_dmc_header_base *)&fw->data[readcount];
>> - parse_csr_fw_dmc(csr, dmc_header);
>> + parse_csr_fw_dmc(csr, dmc_header, rem_size);
>> }
>>
>> static void intel_csr_runtime_pm_get(struct drm_i915_private *dev_priv)
>> --
>> 2.21.0
>>
More information about the Intel-gfx
mailing list