Quoting Lionel Landwerlin (2018-01-16 13:40:09)
> +int i915_query_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
> +{
> + struct drm_i915_query *args = data;
> + struct drm_i915_query_item __user *user_item_ptr =
> + u64_to_user_ptr(args->items_ptr);
> + u32 i;
You need to reject non-zero pad values. I would just rename them as
flags because that's almost always the first field added later on when
extending the ioctl.
> +
> + for (i = 0; i < args->num_items; i++, user_item_ptr++) {
> + struct drm_i915_query_item item;
> +
> + if (copy_from_user(&item, user_item_ptr, sizeof(item)))
> + return -EFAULT;
> +
> + switch (item.query_id) {
> + default:
> + return -EINVAL;
> + }
> +
> + if (copy_to_user(user_item_ptr, &item, sizeof(item)))
> + return -EFAULT;
I would suggest not doing a blind copy of the entire item. The majority
of it should be unchanged, but copying everything sounds like an easy
accident to leak information (looking at that item_ptr.ptr!). The only
out-param in the item is the length, so just copy that back?
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
