On Mon, Nov 03, 2014 at 10:51:42AM +0100, Daniel Vetter wrote:
> On Mon, Nov 03, 2014 at 10:27:47AM +0100, Thierry Reding wrote:
> > From: Thierry Reding <treding@xxxxxxxxxx>
> >
> > When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
> > IOCTL, only the width, height, bpp and flags parameters are inputs. The
> > caller is not guaranteed to zero out or set handle, pitch and size, so
> > the driver must not treat these values as possible inputs.
> >
> > Fixes a bug where running the Weston compositor on Tegra DRM would cause
> > an attempt to allocate a 3 GiB framebuffer to be allocated.
> >
> > Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Thierry Reding <treding@xxxxxxxxxx>
>
> Shouldn't we also clear these fields in the drm core ioctl code? This
> is indeed surprising (yay for lacking input validation!), doing this
> mistake in each driver won't scale ...
They are clearly documented as being outputs in the drm_mode_create_dumb
struct (include/uapi/drm/drm_mode.h), so this was really just me being
stupid a couple of year ago.
But yes, validating the input in the core sounds like a good idea to
avoid this in other drivers in the future.
Thierry
Attachment:
pgpNhSOnAGfwo.pgp
Description: PGP signature
_______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
