[PATCH 1/6] drm/i915/gvt: Prevent invalid array index access to vgpu->fence.regs[]

Zhenyu Wang zhenyuw at linux.intel.com
Fri Mar 22 06:16:54 UTC 2019


On 2019.03.20 11:21:25 +0800, Colin Xu wrote:
> Invalid index could result in array overflow so limit it to array size.
> Although these access are protected by current gvt logic and won't hit
> during running, but still has potential security risk in future.
> 
> Signed-off-by: Colin Xu <colin.xu at intel.com>
> ---
>  drivers/gpu/drm/i915/gvt/aperture_gm.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/aperture_gm.c b/drivers/gpu/drm/i915/gvt/aperture_gm.c
> index 1fa2f65c3cd1..ec14d7506114 100644
> --- a/drivers/gpu/drm/i915/gvt/aperture_gm.c
> +++ b/drivers/gpu/drm/i915/gvt/aperture_gm.c
> @@ -133,7 +133,8 @@ void intel_vgpu_write_fence(struct intel_vgpu *vgpu,
>  
>  	assert_rpm_wakelock_held(dev_priv);
>  
> -	if (WARN_ON(fence >= vgpu_fence_sz(vgpu)))
> +	if (WARN_ON(fence >= vgpu_fence_sz(vgpu) ||
> +		    fence >= INTEL_GVT_MAX_NUM_FENCES))
>  		return;

Looks unnecessary as vGPU won't use more than max fences.

>  
>  	reg = vgpu->fence.regs[fence];
> -- 
> 2.21.0
> 
> _______________________________________________
> intel-gvt-dev mailing list
> intel-gvt-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev

-- 
Open Source Technology Center, Intel ltd.

$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/intel-gvt-dev/attachments/20190322/a3f0c50f/attachment.sig>


More information about the intel-gvt-dev mailing list