This adds a test to make sure that the execbuffer validation routine is checking for invalid addresses, single entry overflow, and multi-entry wrapping overflow. Signed-off-by: Kees Cook <keescook at chromium.org> --- tests/.gitignore | 1 + tests/Makefile.am | 1 + tests/gem_reloc_overflow.c | 154 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 156 insertions(+) create mode 100644 tests/gem_reloc_overflow.c diff --git a/tests/.gitignore b/tests/.gitignore index 7e2d901..fd30412 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -45,6 +45,7 @@ gem_pipe_control_store_loop gem_pread_after_blit gem_pwrite gem_readwrite +gem_reloc_overflow gem_reloc_vs_gpu gem_reg_read gem_render_linear_blits diff --git a/tests/Makefile.am b/tests/Makefile.am index ef68a02..2fddfe8 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -84,6 +84,7 @@ TESTS_progs = \ gem_pipe_control_store_loop \ gem_unfence_active_buffers \ gem_unref_active_buffers \ + gem_reloc_overflow \ gem_reloc_vs_gpu \ drm_vma_limiter \ drm_vma_limiter_cpu \ diff --git a/tests/gem_reloc_overflow.c b/tests/gem_reloc_overflow.c new file mode 100644 index 0000000..d666f4f --- /dev/null +++ b/tests/gem_reloc_overflow.c @@ -0,0 +1,154 @@ +/* + * Copyright ? 2013 Google + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + * + * Authors: + * Kees Cook <keescook at chromium.org> + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <assert.h> +#include <fcntl.h> +#include <inttypes.h> +#include <errno.h> +#include <unistd.h> +#include <malloc.h> +#include <limits.h> +#include <sys/ioctl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/types.h> +#include "drm.h" +#include "i915_drm.h" +#include "drmtest.h" +#include "intel_gpu_tools.h" + +/* + * Testcase: Kernel relocation overflows are caught. + */ + +int main(int argc, char *argv[]) +{ + int fd, i, entries, num; + size_t reloc_size; + size_t total_actual = 0; + unsigned int total_unsigned = 0; + int total_signed = 0; + uint32_t *handles; + struct drm_i915_gem_relocation_entry *reloc; + struct drm_i915_gem_exec_object2 *execobjs; + struct drm_i915_gem_execbuffer2 execbuf = { 0 }; + + fd = drm_open_any(); + + /* Create giant reloc buffer area. */ + num = 257; + entries = ((1ULL << 32) / (num - 1)); + reloc_size = entries * sizeof(struct drm_i915_gem_relocation_entry); + reloc = mmap(NULL, reloc_size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON, -1, 0); + if (reloc == MAP_FAILED) { + perror("mmap"); + return errno; + } + + /* Allocate the handles we'll need to wrap. */ + handles = calloc(num, sizeof(*handles)); + for (i = 0; i < num; i++) { + struct drm_i915_gem_create create_args = { 0 }; + create_args.size = 0x1000; + if (ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &create_args)) { + perror("DRM_IOCTL_I915_GEM_CREATE"); + return errno; + } + handles[i] = create_args.handle; + } + + /* Create relocation objects. */ + execobjs = calloc(num, sizeof(*execobjs)); + execbuf.buffers_ptr = (uintptr_t)execobjs; + + /* Attempt unmapped single entry. */ + execobjs[0].relocation_count = 1; + execobjs[0].relocs_ptr = 0; + execbuf.buffer_count = 1; + + errno = 0; + ioctl(fd, DRM_IOCTL_I915_GEM_EXECBUFFER2, &execbuf); + if (errno != EFAULT) { + perror("DRM_IOCTL_I915_GEM_EXECBUFFER2, invalid address"); + abort(); + } + + /* Attempt single overflowed entry. */ + execobjs[0].relocation_count = (1 << 31); + execobjs[0].relocs_ptr = (uintptr_t)reloc; + execbuf.buffer_count = 1; + + errno = 0; + ioctl(fd, DRM_IOCTL_I915_GEM_EXECBUFFER2, &execbuf); + if (errno != EINVAL) { + perror("DRM_IOCTL_I915_GEM_EXECBUFFER2, single overflow"); + abort(); + } + + /* Attempt wrapped overflow entries. */ + for (i = 0; i < num; i++) { + struct drm_i915_gem_exec_object2 *obj = &execobjs[i]; + obj->handle = handles[i]; + + if (i == num - 1) { + /* Wraps to 1 on last count. */ + obj->relocation_count = 1 - total_unsigned; + obj->relocs_ptr = (uintptr_t)reloc; + } else { + obj->relocation_count = entries; + obj->relocs_ptr = (uintptr_t)reloc; + } + + total_unsigned += obj->relocation_count; + total_signed += obj->relocation_count; + total_actual += obj->relocation_count; + } + execbuf.buffer_count = num; + + errno = 0; + ioctl(fd, DRM_IOCTL_I915_GEM_EXECBUFFER2, &execbuf); + if (errno != EINVAL) { + /* ENOENT means we're subject to wrapping overflow since + * processing has continued into validating buffer contents. + */ + perror("DRM_IOCTL_I915_GEM_EXECBUFFER2, wrap overflow"); + abort(); + } + + if (close(fd)) { + perror("close"); + return errno; + } + + return 0; +} -- 1.7.9.5 -- Kees Cook Chrome OS Security