mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-30 07:56:45 +07:00
drm/i915/cmdparser: Do not check past the cmd length.
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. In that case check_cmd will read bits from the following command, or even past the end of the buffer. If the offset ends up outside of the command length, reject the command. Fixes:351e3db2b3
("drm/i915: Implement command buffer parsing logic") Signed-off-by: Michal Srb <msrb@suse.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180205151745.29292-1-msrb@suse.com Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-2-chris@chris-wilson.co.uk (cherry picked from commit3aec7f871c
) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
This commit is contained in:
parent
b18224e95c
commit
b3ad99ed45
@ -1212,6 +1212,12 @@ static bool check_cmd(const struct intel_engine_cs *engine,
|
||||
continue;
|
||||
}
|
||||
|
||||
if (desc->bits[i].offset >= length) {
|
||||
DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X, too short to check bitmask (%s)\n",
|
||||
*cmd, engine->name);
|
||||
return false;
|
||||
}
|
||||
|
||||
dword = cmd[desc->bits[i].offset] &
|
||||
desc->bits[i].mask;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user