Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6815481ybi; Mon, 8 Jul 2019 09:07:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfKc1tYP9ewSnB6QeNIYhzFr/vu5lrVzFq8K643qENs3HgozaZfeXXR+3fN/iru0LPZadB X-Received: by 2002:a63:6a81:: with SMTP id f123mr25305512pgc.348.1562602061102; Mon, 08 Jul 2019 09:07:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562602061; cv=none; d=google.com; s=arc-20160816; b=imiUW4x9LQMgrWjwin7wheQoZLEg4J2MFZXL/ks83/MEiMDfdDe82smokWG3Acqns7 PHFaIen535iWELRQ3PgafyoaeA3KtaCRGCj4l5tt5Ep5onKYHjrmbOrjpQdjoYajvrQ0 wLkV0BDm2Fd4Uud5ugZlIOyWXvnC2JHKEYKMT2ktVXriC94gTH9wPnCm8qx8XXdxcdds pH/Q5Hc+FOdx6fGqEwNdzOZgbFirAzxr9b4ie3KUof8wVr85y7Y2Z/a4sGZKgqqbgLat 7KPgJHiTCuAZaQQ6AIxOOuIBuuBo5H/hVupBrqdvuZ0jA4SgWQBvA8TQJiqiX6bpiv/i UWuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZXlc/7PphrR/02o4+NICukg+NiNQh5FhTze0utuFmVs=; b=wlpzkMaw+uxZUqMaNmNLzoNkdjTqQ/wlH0ZcHKaK9ZNjeiO77uVPPajwts5WOSpceN 1yWjWtqaG6/LOx9Z6GrY0WiDz33weEwCqax2rYT518MsyEF/IIMzZdTqQE58TpBFZUVW 3nPhFRmkletSOTvEVVgw1ywTKbiKo+uW0pqGLYoBBH537wNp2JATbqz6x0RMg6sANq8o IH2+NyasGW6HaDogIphPjUYqqLxzm+GzkcXulXNXUPzZnEF6vdOkrx/q+jwBfVCWu1K4 BtvLdwrqRcBqehKksC13h5wN5VCEwlquA1jkE7G26meiH+PDhEV0+l1eyN9ubwOF5lXh W1Uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d4crevve; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b24si20860014pfi.180.2019.07.08.09.07.22; Mon, 08 Jul 2019 09:07:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d4crevve; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387982AbfGHPW3 (ORCPT + 99 others); Mon, 8 Jul 2019 11:22:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:48830 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727663AbfGHPWY (ORCPT ); Mon, 8 Jul 2019 11:22:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E54FF20665; Mon, 8 Jul 2019 15:22:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599343; bh=ox3WH6zZtJmiPNpAZKeHVmPVMpAQvhgNkS+IDN4cqEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d4crevve8NLeSTTjRiT3iuHgniBz32bCS3shb/6sxz0yl/815C4AVHjm2v1eI8ASI OFyTbpq/m1sud//iT+4oM7y0lhKr657wj/lrRLyyrbdQII5wCKd+djhBdGecwwnqIq aVL+zSwlSVUpGPt/5hI7Zas141RzKkDrklYCzipw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lucas De Marchi , Rodrigo Vivi , Jani Nikula , Sasha Levin Subject: [PATCH 4.9 084/102] drm/i915/dmc: protect against reading random memory Date: Mon, 8 Jul 2019 17:13:17 +0200 Message-Id: <20190708150530.815459442@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150525.973820964@linuxfoundation.org> References: <20190708150525.973820964@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream. While loading the DMC firmware we were double checking the headers made sense, but in no place we checked that we were actually reading memory we were supposed to. This could be wrong in case the firmware file is truncated or malformed. Before this patch: # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin # modprobe i915 # dmesg| grep -i dmc [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) i.e. it loads random data. Now it fails like below: [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 Before reading any part of the firmware file, validate the input first. Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") Signed-off-by: Lucas De Marchi Reviewed-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com (cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) Signed-off-by: Jani Nikula [ Lucas: backported to 4.9+ adjusting the context ] Cc: stable@vger.kernel.org # v4.9+ Signed-off-by: Sasha Levin --- drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/gpu/drm/i915/intel_csr.c b/drivers/gpu/drm/i915/intel_csr.c index 1ea0e1f43397..54d878cb458f 100644 --- a/drivers/gpu/drm/i915/intel_csr.c +++ b/drivers/gpu/drm/i915/intel_csr.c @@ -280,10 +280,17 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv, uint32_t i; uint32_t *dmc_payload; uint32_t required_version; + size_t fsize; if (!fw) return NULL; + fsize = sizeof(struct intel_css_header) + + sizeof(struct intel_package_header) + + sizeof(struct intel_dmc_header); + if (fsize > fw->size) + goto error_truncated; + /* Extract CSS Header information*/ css_header = (struct intel_css_header *)fw->data; if (sizeof(struct intel_css_header) != @@ -349,6 +356,9 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv, return NULL; } readcount += dmc_offset; + fsize += dmc_offset; + if (fsize > fw->size) + goto error_truncated; /* Extract dmc_header information. */ dmc_header = (struct intel_dmc_header *)&fw->data[readcount]; @@ -379,6 +389,10 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv, /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */ nbytes = dmc_header->fw_size * 4; + fsize += nbytes; + if (fsize > fw->size) + goto error_truncated; + if (nbytes > CSR_MAX_FW_SIZE) { DRM_ERROR("CSR firmware too big (%u) bytes\n", nbytes); return NULL; @@ -392,6 +406,10 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv, } return memcpy(dmc_payload, &fw->data[readcount], nbytes); + +error_truncated: + DRM_ERROR("Truncated DMC firmware, rejecting.\n"); + return NULL; } static void csr_load_work_fn(struct work_struct *work) -- 2.20.1