[PATCH 1/6] drm/i915/gvt: Prevent invalid array index access to vgpu->fence.regs[]

Wed Mar 20 03:21:25 UTC 2019

Invalid index could result in array overflow so limit it to array size.
Although these access are protected by current gvt logic and won't hit
during running, but still has potential security risk in future.

Signed-off-by: Colin Xu <colin.xu at intel.com>
---
 drivers/gpu/drm/i915/gvt/aperture_gm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/gvt/aperture_gm.c b/drivers/gpu/drm/i915/gvt/aperture_gm.c
index 1fa2f65c3cd1..ec14d7506114 100644
--- a/drivers/gpu/drm/i915/gvt/aperture_gm.c
+++ b/drivers/gpu/drm/i915/gvt/aperture_gm.c
@@ -133,7 +133,8 @@ void intel_vgpu_write_fence(struct intel_vgpu *vgpu,
 
 	assert_rpm_wakelock_held(dev_priv);
 
-	if (WARN_ON(fence >= vgpu_fence_sz(vgpu)))
+	if (WARN_ON(fence >= vgpu_fence_sz(vgpu) ||
+		    fence >= INTEL_GVT_MAX_NUM_FENCES))
 		return;
 
 	reg = vgpu->fence.regs[fence];
-- 
2.21.0

