[PATCH 0/6] drm/i915/gvt: Fix klocwork criticals and errors
Colin Xu
colin.xu at intel.com
Wed Mar 20 03:21:24 UTC 2019
Fix potential array index overflow and invalid pointer access.
Although these access are protected by current gvt logic and won't hit
during running, but still has potential security risk in future.
1154: Pointer 'intel_context_lookup(s->shadow_ctx, dev_priv->engine[ring_id])'
returned from call to function 'intel_context_lookup' at line 499 may be NULL
and will be dereferenced at line 499.
drivers/gpu/drm/i915/gvt/mmio_context.c:499 | switch_mmio()
Code: NPD.FUNC.MUST | Severity: Critical(1)
1369: Operands in a bitwise operation have different size
drivers/gpu/drm/i915/gvt/handlers.c:344 | gdrst_mmio_write()
SmartRank Recommended | Code: CWARN.BITOP.SIZE
1431: 'fb_info.obj' is used uninitialized in this function.
drivers/gpu/drm/i915/gvt/dmabuf.c:425 | intel_vgpu_query_plane()
Code: UNINIT.STACK.MUST | Severity: Critical(1)
1432: Array 'scratch_pt' of size 17 may use index value(s) 17.
Also there is one similar error on line 965.
drivers/gpu/drm/i915/gvt/gtt.c:965 | ppgtt_invalidate_pte()
Code: ABV.GENERAL | Severity: Critical(1)
1433: 'regs' array elements are used uninitialized in this function with
index range: [4,5].
drivers/gpu/drm/i915/gvt/mmio_context.c:349 | handle_tlb_pending_event()
Code: UNINIT.STACK.ARRAY.PARTIAL.MUST | Severity: Critical(1)
1434: Operands in a bitwise operation have different size
drivers/gpu/drm/i915/gvt/debugfs.c:172 | vgpu_scan_nonprivbb_set()
Code: CWARN.BITOP.SIZE | Severity: Review(4)
1435: 'regs' array elements are used uninitialized in this function with
index range: [4,5].
drivers/gpu/drm/i915/gvt/mmio_context.c:165 | load_render_mocs()
Code: UNINIT.STACK.ARRAY.PARTIAL.MUST | Severity: Critical(1)
1436: Array 'vgpu->fence.regs' of size 32 may use index value(s) 32..INT_MAX
drivers/gpu/drm/i915/gvt/aperture_gm.c:159 | _clear_vgpu_fence()
Code: ABV.STACK | Severity: Critical(1)
1437: Array 'name' of size 10 may use index value(s) 10..15
drivers/gpu/drm/i915/gvt/debugfs.c:201 | intel_gvt_debugfs_add_vgpu()
Code: ABV.GENERAL | Severity: Critical(1)
1438: Array 'scratch_pt' of size 17 may use index value(s) 17.
Also there is one similar error on line 1721.
drivers/gpu/drm/i915/gvt/gtt.c:1721 | ppgtt_handle_guest_write_page_table_bytes()
Code: ABV.GENERAL | Severity: Critical(1)
1439: Object 'spt' was used at line 1095 after being freed by calling
'ppgtt_free_spt' at line 1093
drivers/gpu/drm/i915/gvt/gtt.c:1095 | ppgtt_populate_spt_by_guest_entry()
Code: UFM.USE.MIGHT | Severity: Error(2)
1440: Array 'scratch_pt' of size 17 may use index value(s) 17.
Also there are 5 similar errors on lines 1602, 1609, 1613.
drivers/gpu/drm/i915/gvt/gtt.c:1602 | ppgtt_handle_guest_write_page_table()
Code: ABV.GENERAL | Severity: Critical(1)
1441: Operands in a bitwise operation have different size
drivers/gpu/drm/i915/gvt/debugfs.c:150 | vgpu_scan_nonprivbb_set()
Code: CWARN.BITOP.SIZE | Severity: Review(4)
1442: Array 'scratch_pt' of size 17 may use index value(s) -1
drivers/gpu/drm/i915/gvt/gtt.c:941 | ppgtt_invalidate_spt_by_shadow_entry()
Code: ABV.GENERAL | Severity: Critical(1)
1443: 'regs' array elements are used uninitialized in this function with
index range: [4,5].
drivers/gpu/drm/i915/gvt/mmio_context.c:404 | switch_mocs()
Code: UNINIT.STACK.ARRAY.PARTIAL.MUST | Severity: Critical(1)
Colin Xu (6):
drm/i915/gvt: Prevent invalid array index access to vgpu->fence.regs[]
drm/i915/gvt: Prevent invalid ring_id access to array regs[]
drm/i915/gvt: Prevent invalid index access to vgpu->gtt.scratch_pt[]
drm/i915/gvt: Prevent use of uninitilized member fb_info->obj
drm/i915/gvt: Explicit cast int to u64 and prevent char buf overflow.
drm/i915/gvt: Explicit cast to same type size before bitwise
operation.
drivers/gpu/drm/i915/gvt/aperture_gm.c | 3 +-
drivers/gpu/drm/i915/gvt/debugfs.c | 6 +--
drivers/gpu/drm/i915/gvt/dmabuf.c | 1 +
drivers/gpu/drm/i915/gvt/gtt.c | 50 ++++++++++++++++++++++---
drivers/gpu/drm/i915/gvt/handlers.c | 3 +-
drivers/gpu/drm/i915/gvt/mmio_context.c | 22 ++++++++---
6 files changed, 69 insertions(+), 16 deletions(-)
--
2.21.0
More information about the intel-gvt-dev
mailing list