Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2146504imm; Thu, 18 Oct 2018 09:43:55 -0700 (PDT) X-Google-Smtp-Source: ACcGV61UIa9mMd5Us4NMiZXuV8KVZYeKhbdGOXjHJYJ02Vnfwb+NaGEU2NGKEx+5dpWWMZzXvS0H X-Received: by 2002:a63:5949:: with SMTP id j9-v6mr29295925pgm.210.1539881035565; Thu, 18 Oct 2018 09:43:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539881035; cv=none; d=google.com; s=arc-20160816; b=fZ+Ja2PEXMxUFRqk0rN7G3eZJe7qbGX7Wi4MnshajlhsY6jQpfQgsKbSlQZDqkU4Mj MIi0aLl4Z+a293YwrfMGkFqE/AD/OTHeKlkRxmey9XGNcN1erXd2GDBi4u8mrqD9gE+x BFzBXaYaPUSAIxq5Ik1P31uJGguPqHoH6wIFPxtx7ozpfpV9JyNAO87KUcNvnQ7BmbYV s2ItA0WKoTPKxorB88c5+ZmYA9/RoKmmxtWIyxzeIpKVOM+6Y6eg0SF73IjVvpDSXGpR cOO8hm8f/Fn0J/AzK5IdfXd4aInuc/vrnCFE8Pe+YRbihWJOAomzdxPxKM5Z+iFIQuUl /XjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=+6q/uH4W6v4LdhrFbX/XCjOkBm43DLpRJ706h4X3hkw=; b=CinynpQree6fpFn6p1omJTFlwjEkpqTkJ16ACZd/l+LJRIUAAI3EiXoUZn23KFs7ZR XXPFyPsvZVhaRWCI8dPAOJd/GYUuUtcOOAmjn20cJsCmZ0TriDM8mHfLbutWN4qflbv8 nyGmrsQM9OFz/s5tJH48rj+GKcTEGONk7zmEenTG1OyTqMkMBI/HAuMduE6wfInkcHYn Lj4+Xw6nKdIw3DWYBf/Cejvp43TRrxMeJXIeOoMgL3prDbK+O7RpywYNJTYWY4bSebWU C2dtSs7UUuyvVTjAK1P2tKvWkrzPnF7UrCV8VfxKYm1WNwazf48WpuktvzMIUroTamDC dT3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Dasn2JEQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x6-v6si20982129pfd.219.2018.10.18.09.43.39; Thu, 18 Oct 2018 09:43:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Dasn2JEQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728451AbeJSAoP (ORCPT + 99 others); Thu, 18 Oct 2018 20:44:15 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:47788 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727402AbeJSAoP (ORCPT ); Thu, 18 Oct 2018 20:44:15 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id C17AC16D for ; Thu, 18 Oct 2018 16:42:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAHgL9cfEnNb for ; Thu, 18 Oct 2018 11:42:26 -0500 (CDT) Received: from mail-it1-f198.google.com (mail-it1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 9434D541 for ; Thu, 18 Oct 2018 11:42:26 -0500 (CDT) Received: by mail-it1-f198.google.com with SMTP id v125-v6so772154ita.7 for ; Thu, 18 Oct 2018 09:42:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=+6q/uH4W6v4LdhrFbX/XCjOkBm43DLpRJ706h4X3hkw=; b=Dasn2JEQW+AxVvpbGdkojvdS+7rQS63gk7Hk8tOlF1sjK70jR8cbiDw1HaKfUukHRo rAhvCEnZ8iR0viEckApfRjUlWWBEae4EqNhxiMXJ4SPAfDJfTTJjkXOiDDofMOIc+EyQ HN2sP0p01LSeYsIEpRRfOtj4vym9uTcIr54k8JGmG8zt79bTEa9hduYliHIFP2M+rvi8 v6uhhZscoTlWdKbWteiuza3dFbnRuc9SzUkMBcwNYfNyZzlZB85rX0Qusq5JLT77ZGq9 HDFlNxpEqA+dtLkHoaDF5Wc6d0kPMgnyKMb8AYs4wJ8NW//CS2JIJRy8wqDNX/pOgMvN v6gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+6q/uH4W6v4LdhrFbX/XCjOkBm43DLpRJ706h4X3hkw=; b=mF2IqMPdLtxbK7JjMwaETdPi0j8VGeL6KtERyj1gE5UuOQm0WcUialzuRlhXhd+B+q R90PoEYgOusy7mqgqK4ay8hBj2qpzREVv4qWLB46OnqApaLeefYx+q53GpefJPlqeWxe 4wUOyiqQT2DrXjt9vGHW0c+RFii++SoYBma7gWHTl/pv+B0ERhqm/K476NejiyQ5b7Sz bbUKFjmH5fOttjWwQJpVRQG8+oG0VntmJSo5XHTMDXs12V6o6ziaPt8tFYEDxt2qdez8 jalasuKDYS/zUeA5wB88i1tP3w4BI7PJ3YSyltq3A5dVA228QLRlDQ5gFOc+cqK/SvKD Pldg== X-Gm-Message-State: AGRZ1gJiCPP7YatKmDbR6hiDKPYJjY7kAoK21AuzQvbgFkCVxjD5hO5e i10o0jczx55JNLjTv2UiUg9TFJcO0jMonABQQ/jiNvGXjxI8162rCmPnhVPjn/GUm6eMQHK+JZQ WjQ0Kqhh7l5pfVoeHOcxa/ctS7QoL X-Received: by 2002:a6b:cc02:: with SMTP id c2-v6mr673390iog.180.1539880945960; Thu, 18 Oct 2018 09:42:25 -0700 (PDT) X-Received: by 2002:a6b:cc02:: with SMTP id c2-v6mr673378iog.180.1539880945765; Thu, 18 Oct 2018 09:42:25 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id h10-v6sm6486246iom.67.2018.10.18.09.42.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 Oct 2018 09:42:24 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , "David (ChunMing) Zhou" , David Airlie , amd-gfx@lists.freedesktop.org (open list:RADEON and AMDGPU DRM DRIVERS), dri-devel@lists.freedesktop.org (open list:DRM DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] drm/radeon: fix a missing-check bug Date: Thu, 18 Oct 2018 11:42:13 -0500 Message-Id: <1539880933-6887-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In igp_read_bios_from_vram(), the start of vram is firstly remapped to the IO memory region 'bios' through ioremap(). Then the size and values of 'bios' are checked. For example, 'bios[0]' is compared against 0x55 and 'bios[1]' is compared against 0xaa. If no error happens during this checking process, the whole data in 'bios' is then copied to 'rdev->bios' through memcpy_fromio(). The problem here is that the checks are performed on 'bios' directly. Given that the IO memory region can also be accessed by the device, it is possible that a malicious device race to modify 'bios[0]' and/or 'bios[1]' after the checks but before memcpy_fromio(). This can cause undefined behavior of the kernel and potentially introduce security risk, especially when the device can be controlled by attackers. This patch avoids the above issue by rewriting the first two bytes of 'rdev->bios' after memcpy_fromio() with expected values. Signed-off-by: Wenwen Wang --- drivers/gpu/drm/radeon/radeon_bios.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c index 04c0ed4..d8304fa 100644 --- a/drivers/gpu/drm/radeon/radeon_bios.c +++ b/drivers/gpu/drm/radeon/radeon_bios.c @@ -69,6 +69,8 @@ static bool igp_read_bios_from_vram(struct radeon_device *rdev) return false; } memcpy_fromio(rdev->bios, bios, size); + rdev->bios[0] = 0x55; + rdev->bios[1] = 0xaa; iounmap(bios); return true; } -- 2.7.4