summaryrefslogtreecommitdiffstats
path: root/drivers/gpu
diff options
context:
space:
mode:
authorYu Zhao <yuzhao@google.com>2019-01-07 15:51:15 -0700
committerAlex Deucher <alexander.deucher@amd.com>2019-01-08 16:26:50 -0500
commitc4a32b266da7bb702e60381ca0c35eaddbc89a6c (patch)
treeaf07926e4794a778ad656fdb277b230c08db6463 /drivers/gpu
parent89f23b6efef554766177bf51aa754bce14c3e7da (diff)
downloadlinux-c4a32b266da7bb702e60381ca0c35eaddbc89a6c.tar.gz
linux-c4a32b266da7bb702e60381ca0c35eaddbc89a6c.tar.bz2
linux-c4a32b266da7bb702e60381ca0c35eaddbc89a6c.zip
drm/amdgpu: validate user GEM object size
When creating frame buffer, userspace may request to attach to a previously allocated GEM object that is smaller than what GPU requires. Validation must be done to prevent out-of-bound DMA, otherwise it could be exploited to reveal sensitive data. This fix is not done in a common code path because individual driver might have different requirement. Cc: stable@vger.kernel.org # v4.2+ Reviewed-by: Michel Dänzer <michel.daenzer@amd.com> Signed-off-by: Yu Zhao <yuzhao@google.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat (limited to 'drivers/gpu')
-rw-r--r--drivers/gpu/drm/amd/amdgpu/amdgpu_display.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index cb72d9675ab1..dafc645b2e4e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -531,6 +531,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
struct drm_gem_object *obj;
struct amdgpu_framebuffer *amdgpu_fb;
int ret;
+ int height;
struct amdgpu_device *adev = dev->dev_private;
int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
int pitch = mode_cmd->pitches[0] / cpp;
@@ -555,6 +556,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
return ERR_PTR(-EINVAL);
}
+ height = ALIGN(mode_cmd->height, 8);
+ if (obj->size < pitch * height) {
+ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n",
+ pitch * height, obj->size);
+ return ERR_PTR(-EINVAL);
+ }
+
amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
if (amdgpu_fb == NULL) {
drm_gem_object_put_unlocked(obj);