On 16/01/18 14:08, Chris Wilson wrote:
Quoting Lionel Landwerlin (2018-01-16 13:40:09)
+int i915_query_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
+{
+ struct drm_i915_query *args = data;
+ struct drm_i915_query_item __user *user_item_ptr =
+ u64_to_user_ptr(args->items_ptr);
+ u32 i;
You need to reject non-zero pad values. I would just rename them as
flags because that's almost always the first field added later on when
extending the ioctl.
Ah yeah, forgot about that...
+
+ for (i = 0; i < args->num_items; i++, user_item_ptr++) {
+ struct drm_i915_query_item item;
+
+ if (copy_from_user(&item, user_item_ptr, sizeof(item)))
+ return -EFAULT;
+
+ switch (item.query_id) {
+ default:
+ return -EINVAL;
+ }
+
+ if (copy_to_user(user_item_ptr, &item, sizeof(item)))
+ return -EFAULT;
I would suggest not doing a blind copy of the entire item. The majority
of it should be unchanged, but copying everything sounds like an easy
accident to leak information (looking at that item_ptr.ptr!). The only
out-param in the item is the length, so just copy that back?
-Chris
Done.
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx