hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl() 

There is no limit on args->data.data_size_bytes so we could read beyond
the end of the args->data.data[] array.

Reviewed-by: Christian König <christian.koenig@amd.com>
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
This commit is contained in:
Dan Carpenter 2015-09-23 14:00:35 +03:00 committed by Alex Deucher
parent 0d2edd3791
commit 0913eab648
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
View File

@ -427,6 +427,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
&args->data.data_size_bytes, &args->data.data_size_bytes,
&args->data.flags); &args->data.flags);
} else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) { } else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {
if (args->data.data_size_bytes > sizeof(args->data.data)) {
r = -EINVAL;
goto unreserve;
}
r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info); r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);
if (!r) if (!r)
r = amdgpu_bo_set_metadata(robj, args->data.data, r = amdgpu_bo_set_metadata(robj, args->data.data,
@ -434,6 +438,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
args->data.flags); args->data.flags);
} }
unreserve:
amdgpu_bo_unreserve(robj); amdgpu_bo_unreserve(robj);
out: out:
drm_gem_object_unreference_unlocked(gobj); drm_gem_object_unreference_unlocked(gobj);