Re: [PATCH] drm/i915/dmc: protect against reading random memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 05, 2019 at 04:55:35PM -0700, Lucas De Marchi wrote:
> While loading the DMC firmware we were double checking the headers made
> sense, but in no place we checked that we were actually reading memory
> we were supposed to. This could be wrong in case the firmware file is
> truncated or malformed.
> 
> Before this patch:
> 	# ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
> 	-rw-r--r-- 1 root root  25716 Feb  1 12:26 icl_dmc_ver1_07.bin
> 	# truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
> 	# modprobe i915
> 	# dmesg| grep -i dmc
> 	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
> 	[drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
> 
> i.e. it loads random data. Now it fails like below:
> 	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
> 	[drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
> 	i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
> 	i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
> 
> Before reading any part of the firmware file, validate the input first.
> 
> Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Lucas De Marchi <lucas.demarchi@xxxxxxxxx>


Reviewed-by: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx>


> ---
> 
> This has been extracted from the bigger series
> https://patchwork.freedesktop.org/series/61016/ in a way that can be
> propagated to stable.

Thanks!

> 
>  drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/intel_csr.c b/drivers/gpu/drm/i915/intel_csr.c
> index 4527b9662330..bf0eebd385b9 100644
> --- a/drivers/gpu/drm/i915/intel_csr.c
> +++ b/drivers/gpu/drm/i915/intel_csr.c
> @@ -303,10 +303,17 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
>  	u32 dmc_offset = CSR_DEFAULT_FW_OFFSET, readcount = 0, nbytes;
>  	u32 i;
>  	u32 *dmc_payload;
> +	size_t fsize;
>  
>  	if (!fw)
>  		return NULL;
>  
> +	fsize = sizeof(struct intel_css_header) +
> +		sizeof(struct intel_package_header) +
> +		sizeof(struct intel_dmc_header);
> +	if (fsize > fw->size)
> +		goto error_truncated;
> +
>  	/* Extract CSS Header information*/
>  	css_header = (struct intel_css_header *)fw->data;
>  	if (sizeof(struct intel_css_header) !=
> @@ -366,6 +373,9 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
>  	/* Convert dmc_offset into number of bytes. By default it is in dwords*/
>  	dmc_offset *= 4;
>  	readcount += dmc_offset;
> +	fsize += dmc_offset;
> +	if (fsize > fw->size)
> +		goto error_truncated;
>  
>  	/* Extract dmc_header information. */
>  	dmc_header = (struct intel_dmc_header *)&fw->data[readcount];
> @@ -397,6 +407,10 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
>  
>  	/* fw_size is in dwords, so multiplied by 4 to convert into bytes. */
>  	nbytes = dmc_header->fw_size * 4;
> +	fsize += nbytes;
> +	if (fsize > fw->size)
> +		goto error_truncated;
> +
>  	if (nbytes > csr->max_fw_size) {
>  		DRM_ERROR("DMC FW too big (%u bytes)\n", nbytes);
>  		return NULL;
> @@ -410,6 +424,10 @@ static u32 *parse_csr_fw(struct drm_i915_private *dev_priv,
>  	}
>  
>  	return memcpy(dmc_payload, &fw->data[readcount], nbytes);
> +
> +error_truncated:
> +	DRM_ERROR("Truncated DMC firmware, rejecting.\n");
> +	return NULL;
>  }
>  
>  static void intel_csr_runtime_pm_get(struct drm_i915_private *dev_priv)
> -- 
> 2.21.0
> 
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux