aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarek Olšák <maraeo@gmail.com>2011-06-10 10:41:26 -0400
committerDave Airlie <airlied@redhat.com>2011-06-13 20:59:03 -0400
commita27bb4b209dd6c327fa4e7185f2487f9508a58db (patch)
tree2c4ff2f2ded3beaaa74ef16047d5ab405e30d906
parentab21e60beaa96f2c55604f633dfe74076c531df7 (diff)
drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and bump array limit
To my knowledge, the limit is 16 on r300. (the docs don't say what the limit is) The lack of bounds checking can be abused to do all sorts of things (from bypassing parts of the CS checker to crashing the kernel). Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=36745 Cc: stable@kernel.org Signed-off-by: Marek Olšák <maraeo@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--drivers/gpu/drm/radeon/r100_track.h8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/gpu/drm/radeon/r100_track.h b/drivers/gpu/drm/radeon/r100_track.h
index 2fef9de7f363..686f9dc5d4bd 100644
--- a/drivers/gpu/drm/radeon/r100_track.h
+++ b/drivers/gpu/drm/radeon/r100_track.h
@@ -63,7 +63,7 @@ struct r100_cs_track {
63 unsigned num_arrays; 63 unsigned num_arrays;
64 unsigned max_indx; 64 unsigned max_indx;
65 unsigned color_channel_mask; 65 unsigned color_channel_mask;
66 struct r100_cs_track_array arrays[11]; 66 struct r100_cs_track_array arrays[16];
67 struct r100_cs_track_cb cb[R300_MAX_CB]; 67 struct r100_cs_track_cb cb[R300_MAX_CB];
68 struct r100_cs_track_cb zb; 68 struct r100_cs_track_cb zb;
69 struct r100_cs_track_cb aa; 69 struct r100_cs_track_cb aa;
@@ -146,6 +146,12 @@ static inline int r100_packet3_load_vbpntr(struct radeon_cs_parser *p,
146 ib = p->ib->ptr; 146 ib = p->ib->ptr;
147 track = (struct r100_cs_track *)p->track; 147 track = (struct r100_cs_track *)p->track;
148 c = radeon_get_ib_value(p, idx++) & 0x1F; 148 c = radeon_get_ib_value(p, idx++) & 0x1F;
149 if (c > 16) {
150 DRM_ERROR("Only 16 vertex buffers are allowed %d\n",
151 pkt->opcode);
152 r100_cs_dump_packet(p, pkt);
153 return -EINVAL;
154 }
149 track->num_arrays = c; 155 track->num_arrays = c;
150 for (i = 0; i < (c - 1); i+=2, idx+=3) { 156 for (i = 0; i < (c - 1); i+=2, idx+=3) {
151 r = r100_cs_packet_next_reloc(p, &reloc); 157 r = r100_cs_packet_next_reloc(p, &reloc);