Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3000479ybi; Mon, 17 Jun 2019 14:23:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqzuAC9j+LWfyOhHZXTlvBuBB1jUfpjLaH7xlc6G/opMoDBSERto8yOHq0z8EQEghimqWtjU X-Received: by 2002:a17:902:4222:: with SMTP id g31mr32128447pld.41.1560806632465; Mon, 17 Jun 2019 14:23:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560806632; cv=none; d=google.com; s=arc-20160816; b=ZrfUCkmvhDLaQmidwIqDT2VBcuJ4+jfNGuYhssYYgXxz9yIK/L6G9jcxX9NxGSETa+ CPaKjKaczhEdrQX6gKKAewmWE+t302unwXOEWkfTt0Dl4Uz5S1Yfb5BiB3yA8V/qOvee epz4Av4JsWVwi/zaCJB/4KbsRspPWg8gpG6/HIpShBJ2nz+eFmpusBe4bgzegNrDVK+q F/OyealLcDlA+w01zFGYLbsQJ5w0t5xLPo6i+g+a8yDykptXkOP/KBsGQhR5CnZlcHpz WP2hq1H2aweyJb9/zgIquzrW5nZIVKfMneuu4ktd89FZvps9Zx/UVf7Y5slW6K8VLkUS C0Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Y8BTTOBLjLW4df9LWxwIRbzD5z5v7W895kdb6WvIOJg=; b=ndCwMPqQFOgBKdkb723wOYu9yLup5ibWa9zefypvAxXeJo2s2kN7JZviTN2eRhz6DR oVAajnkBE2vJh2clPXtp2HbaSHtecFGV3l6th7v/9I3JDZxSiY+VpMCNnrSh1eXXaXqM W51AyGDzeeFIVNSd+1O85luAi/CqTWTzhkdGESFaP26VBb0YVS4EHGhnJYWF8hcb9YIs Ey+Efa7H3Ctn9yvd3HAWLS3dJfqnPMK9ULk+4Y69IUfFH1GsBT5sLNLMsKV4HVkBKG5e 5s5+PtQZp2rTMqpRNvkB32Uhy4304PnyMMIqY9vpGYcXB69DM4bDXSWqZSD3zTTtBRZy VW6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Jj/rwIPv"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3si11545776pld.102.2019.06.17.14.23.37; Mon, 17 Jun 2019 14:23:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Jj/rwIPv"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729600AbfFQVWt (ORCPT + 99 others); Mon, 17 Jun 2019 17:22:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:47554 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729595AbfFQVWq (ORCPT ); Mon, 17 Jun 2019 17:22:46 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10439206B7; Mon, 17 Jun 2019 21:22:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560806565; bh=s5RU2z2EeN8CvBgLSIQwUVZ59OMSqmNvSR+IMSGrvgA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jj/rwIPv/Kc+78bufKe+uKBJcuE/dYqyli+Rpq3G6elQAmuyFNwIm3FXuvuihcqNg 8+z6tH5NQBOPmKFJ+rcsIztEnkHCzLsuhrdjt01x8Q2D4le+1Kh4447UIfGclJETTP B7qhmvb6ObQNZV0FCbmtvhXnVEjNJ9jew1QMezbY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lucas De Marchi , Rodrigo Vivi , Jani Nikula Subject: [PATCH 5.1 041/115] drm/i915/dmc: protect against reading random memory Date: Mon, 17 Jun 2019 23:09:01 +0200 Message-Id: <20190617210802.120521623@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190617210759.929316339@linuxfoundation.org> References: <20190617210759.929316339@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lucas De Marchi commit 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 upstream. While loading the DMC firmware we were double checking the headers made sense, but in no place we checked that we were actually reading memory we were supposed to. This could be wrong in case the firmware file is truncated or malformed. Before this patch: # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin # modprobe i915 # dmesg| grep -i dmc [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) i.e. it loads random data. Now it fails like below: [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 Before reading any part of the firmware file, validate the input first. Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") Cc: stable@vger.kernel.org Signed-off-by: Lucas De Marchi Reviewed-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com (cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- a/drivers/gpu/drm/i915/intel_csr.c +++ b/drivers/gpu/drm/i915/intel_csr.c @@ -300,10 +300,17 @@ static u32 *parse_csr_fw(struct drm_i915 u32 dmc_offset = CSR_DEFAULT_FW_OFFSET, readcount = 0, nbytes; u32 i; u32 *dmc_payload; + size_t fsize; if (!fw) return NULL; + fsize = sizeof(struct intel_css_header) + + sizeof(struct intel_package_header) + + sizeof(struct intel_dmc_header); + if (fsize > fw->size) + goto error_truncated; + /* Extract CSS Header information*/ css_header = (struct intel_css_header *)fw->data; if (sizeof(struct intel_css_header) != @@ -363,6 +370,9 @@ static u32 *parse_csr_fw(struct drm_i915 /* Convert dmc_offset into number of bytes. By default it is in dwords*/ dmc_offset *= 4; readcount += dmc_offset; + fsize += dmc_offset; + if (fsize > fw->size) + goto error_truncated; /* Extract dmc_header information. */ dmc_header = (struct intel_dmc_header *)&fw->data[readcount]; @@ -394,6 +404,10 @@ static u32 *parse_csr_fw(struct drm_i915 /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */ nbytes = dmc_header->fw_size * 4; + fsize += nbytes; + if (fsize > fw->size) + goto error_truncated; + if (nbytes > csr->max_fw_size) { DRM_ERROR("DMC FW too big (%u bytes)\n", nbytes); return NULL; @@ -407,6 +421,10 @@ static u32 *parse_csr_fw(struct drm_i915 } return memcpy(dmc_payload, &fw->data[readcount], nbytes); + +error_truncated: + DRM_ERROR("Truncated DMC firmware, rejecting.\n"); + return NULL; } static void intel_csr_runtime_pm_get(struct drm_i915_private *dev_priv)