Skip to content

Commit a6d5563

Browse files
lolzballsgregkh
lolzballs
authored and
gregkh
committed
drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
commit 2444eb0 upstream. Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks. Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Reviewed-by: Ruijing Dong <ruijing.dong@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent fec8b11 commit a6d5563

1 file changed

Lines changed: 12 additions & 11 deletions

File tree

drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1912,9 +1912,10 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
19121912
static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start)
19131913
{
19141914
int i;
1915+
uint32_t len;
19151916

1916-
for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) {
1917-
if (ib->ptr[i + 1] == id)
1917+
for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
1918+
if (amdgpu_ib_get_value(ib, i + 1) == id)
19181919
return i;
19191920
}
19201921
return -1;
@@ -1925,8 +1926,6 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
19251926
struct amdgpu_ib *ib)
19261927
{
19271928
struct amdgpu_ring *ring = amdgpu_job_ring(job);
1928-
struct amdgpu_vcn_decode_buffer *decode_buffer;
1929-
uint64_t addr;
19301929
uint32_t val;
19311930
int idx = 0, sidx;
19321931

@@ -1937,20 +1936,22 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
19371936
while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) {
19381937
val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */
19391938
if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
1940-
decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6];
1939+
uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6);
1940+
uint64_t msg_buffer_addr;
19411941

1942-
if (!(decode_buffer->valid_buf_flag & 0x1))
1942+
if (!(valid_buf_flag & 0x1))
19431943
return 0;
19441944

1945-
addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 |
1946-
decode_buffer->msg_buffer_address_lo;
1947-
return vcn_v4_0_dec_msg(p, job, addr);
1945+
msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 |
1946+
amdgpu_ib_get_value(ib, idx + 8);
1947+
return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
19481948
} else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
19491949
sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx);
1950-
if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1)
1950+
if (sidx >= 0 &&
1951+
amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1)
19511952
return vcn_v4_0_limit_sched(p, job);
19521953
}
1953-
idx += ib->ptr[idx] / 4;
1954+
idx += amdgpu_ib_get_value(ib, idx) / 4;
19541955
}
19551956
return 0;
19561957
}

0 commit comments

Comments
 (0)