[PATCH 1/6] drm/i915/gvt: Prevent invalid array index access to vgpu->fence.regs[]
Zhenyu Wang
zhenyuw at linux.intel.com
Fri Mar 22 06:16:54 UTC 2019
On 2019.03.20 11:21:25 +0800, Colin Xu wrote:
> Invalid index could result in array overflow so limit it to array size.
> Although these access are protected by current gvt logic and won't hit
> during running, but still has potential security risk in future.
>
> Signed-off-by: Colin Xu <colin.xu at intel.com>
> ---
> drivers/gpu/drm/i915/gvt/aperture_gm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/aperture_gm.c b/drivers/gpu/drm/i915/gvt/aperture_gm.c
> index 1fa2f65c3cd1..ec14d7506114 100644
> --- a/drivers/gpu/drm/i915/gvt/aperture_gm.c
> +++ b/drivers/gpu/drm/i915/gvt/aperture_gm.c
> @@ -133,7 +133,8 @@ void intel_vgpu_write_fence(struct intel_vgpu *vgpu,
>
> assert_rpm_wakelock_held(dev_priv);
>
> - if (WARN_ON(fence >= vgpu_fence_sz(vgpu)))
> + if (WARN_ON(fence >= vgpu_fence_sz(vgpu) ||
> + fence >= INTEL_GVT_MAX_NUM_FENCES))
> return;
Looks unnecessary as vGPU won't use more than max fences.
>
> reg = vgpu->fence.regs[fence];
> --
> 2.21.0
>
> _______________________________________________
> intel-gvt-dev mailing list
> intel-gvt-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev
--
Open Source Technology Center, Intel ltd.
$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/intel-gvt-dev/attachments/20190322/a3f0c50f/attachment.sig>
More information about the intel-gvt-dev
mailing list