Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp560348pxb; Wed, 25 Aug 2021 09:26:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztoYq8Vm+7cgFROfa5FHf36jHxdkW3pctjQfvaZQ68VLOE5TsCmSsCsm03gD58lpTQu0Yj X-Received: by 2002:a17:906:6c8f:: with SMTP id s15mr10051598ejr.52.1629908819271; Wed, 25 Aug 2021 09:26:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629908819; cv=none; d=google.com; s=arc-20160816; b=GDlz51nh0Lv1zyql1W35DeNIYnAepeX9HipP99zsXYczBNzGfa+KZFEj9z7o4Vjbid /czbzT3MY/t1tjyrM3Z+x9P7IUySaHbVQhwB/YNMY2BlYjWk03H73z/pN4c6P2uSmZd5 rTEOk7nLXkpj8cPkvUQYt7Cx5OL4fDz+YVl/RMK1zhgAZAEkdzMa4f0uuRkjugcjV6lx gZ6GnK/VKcs0LzEyV+Bqu2CMEhaWqqCzUiaUF13Kut7YiwaGqAMdtokL1jDnwRgQzvxX 8j/sS5j93PNDh4mGD1z2Hp8gqxjQWdt33NvPT2Xk1e6TnF5h2kurQ/nMfN+lP+IItIlm QX8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=N9XhY8p7G+0bDyMlbnytdHLPofSqK0+HvIRX3QNft6U=; b=MftD2FIfrIoNlUd8ksvMWEQ7URhEGq/9Xl3tOiJkoVmvQoNHyyGqx6uIAziELTamCW oYRhe1ys/nwalJEUksaj35y+IrpDOpIosLgg0PR2rDHf+TZgK0Jo3ay0RX4i7BY8Ico2 JLB/pdmhGEM1anhHn75pGdeOUkw/2T+xK2PqNzN+O3SFrbZRuprqitPBWwKOs2nOYcla 4tk+Uc3msbkNxf+tM8klyWOoyucJCqkxp6v4jXHR54ngHw9x+TybtOspRFpLyUjAxvnr DMIkjfLIE6D5D/K5sPX70iAtyjYBy1iujUhD48x9Eie+zVeKNWiV29o7GadyevYqVvcA IlIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=er5jXCwF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kl24si213912ejc.190.2021.08.25.09.26.31; Wed, 25 Aug 2021 09:26:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=er5jXCwF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241646AbhHYQV4 (ORCPT + 99 others); Wed, 25 Aug 2021 12:21:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240602AbhHYQVs (ORCPT ); Wed, 25 Aug 2021 12:21:48 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B33CBC0698C2 for ; Wed, 25 Aug 2021 09:20:00 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id q21so5647649plq.3 for ; Wed, 25 Aug 2021 09:20:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N9XhY8p7G+0bDyMlbnytdHLPofSqK0+HvIRX3QNft6U=; b=er5jXCwFvNHmPXCLmHbM9lgRrgRCxgG1opusLq2zieJBNo77QgyOCSKYRVXtfsQ7oi k+L/TFn+Cgt5x4X3lQu+kAkG0XCM8G1fU8xVhlBZMClibfRNT8rfyCbV1bWD/NWn/qGQ cnLRWzWVgnoe9Nrf2hU/7dyApLfH1yGuGU9X0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N9XhY8p7G+0bDyMlbnytdHLPofSqK0+HvIRX3QNft6U=; b=FhRVFophOcCAlwccq1XZWECNQQOn7/3asJ94wfgB9b3B8zAOZz8jyb4g0tR2wnsSyB iGYJuWrsnp3aztZTGr7L8EAMbODVtRTZHZHig+dqYGhqX0ScdRXt5oIboVWGAf3tq6Qi 0Z9MpYud1r8iOtpcUgXI3SRLASJlhEMG/48uKMle+2+Ow6HCvqZbUXlVUkf+3SkWMrem cai4hUfznvmUEYbcFb1cRQeUGLKX+/rSmjaqje0vqFcwJCXkNt1HeCFU1MzwUZS0bdCw XlkN4sbRJY50kMkpi4aEPYvFTy1bp2FFldijJ7jxaQkZYYCeWDU1n8rDvAFDTf44m/Kn hdwA== X-Gm-Message-State: AOAM5324Z+PcQH8+6RHUpCrubLUh9FM34QsTJKySD/9mpZeUnq9g4l/L KVYwj9CIyQvUtBXX9fI8ZsyhYA== X-Received: by 2002:a17:90a:4093:: with SMTP id l19mr11481974pjg.118.1629908400185; Wed, 25 Aug 2021 09:20:00 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x19sm286030pfo.40.2021.08.25.09.19.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Aug 2021 09:19:59 -0700 (PDT) From: Kees Cook To: =?UTF-8?q?Christian=20K=C3=B6nig?= Cc: Kees Cook , "Pan, Xinhui" , David Airlie , Daniel Vetter , Hawking Zhang , Feifei Xu , Likun Gao , Jiawei Gu , Evan Quan , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Lijo Lazar , Alex Deucher , Andrey Grodzovsky , Luben Tuikov , Sathishkumar S , Jonathan Kim , Darren Powell , Huang Rui , Xiaojian Du , Ryan Taylor , Graham Sider , Kevin Wang , David M Nieto , Lee Jones , John Clements , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2] drm/amd/pm: And destination bounds checking to struct copy Date: Wed, 25 Aug 2021 09:19:57 -0700 Message-Id: <20210825161957.3904130-1-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Developer-Signature: v=1; a=openpgp-sha256; l=7050; h=from:subject; bh=vF67s6QnU0fC5nISbg7n5vHeCrbf4UxTJE11PW86ehA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhJm2sqJLOuF3URRcTav9BLmXNiA7slPCKTLtLOLI5 ImHjN5GJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSZtrAAKCRCJcvTf3G3AJivOD/ wNaiUJ5ux73lmKYESY4bT3EXBpHilQ9p5V+3lwyxKfURqdki00w311PXX4vMM1L+hfQHL6TKPoiuc5 nzlR+CMZIshnglKxUWjttBLiAFLdZM9FAsusFb6JVISf9gGGRmapAG43us+wPX0T1YzNx6LWpkMU07 yh2xJ6QmFtrhgBe7S3ktSizAI4T32hGhOJ+Woh+YZxZw6psrqr+l6zEKRd9q8kOG7w+TEw6P1rx7O0 wWG+1jg8pSPk5KUVzLC/3FsSkEgaTpDNtTLkmMQayLKgi0MCQnRjseQ0VncXswyYwOni9Mn1Hu/En3 BPZyozNulGMZDtNEtMOygZZHXjx3hl2jwjMMkabwWZ2/J4Lt3XsZzQVN4POqDNEKGhQ+EcljGBNucY UrSIgQMYd17/Q1K8fJHRX4g5NGzDEBGyJu9TmpMj9d19HjpKZZ8Axsj55vcvVX8JoAokiziT8gjIho 6Jlvg9JAobQYZtLfBNzK4Ca3beMXk5vt+k1c7deuag4aAxohkNzXwtCtIW3qYtmgXWU2F0m5HDVA3G 9xBrdCFp83WAMTYNmxIgS7h3Rkkcyx5YvfbgxevaCg1QN5HZZzPW30x33v9YXgsTrXIjX7S+sX2LUt 66ZuedhDRBHLBDh0lwK7gJh40hnlcGPO2QduiNB5L3AYFQ3fqCPG/7GsYGxw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. The "Board Parameters" members of the structs: struct atom_smc_dpm_info_v4_5 struct atom_smc_dpm_info_v4_6 struct atom_smc_dpm_info_v4_7 struct atom_smc_dpm_info_v4_10 are written to the corresponding members of the corresponding PPTable_t variables, but they lack destination size bounds checking, which means the compiler cannot verify at compile time that this is an intended and safe memcpy(). Since the header files are effectively immutable[1] and a struct_group() cannot be used, nor a common struct referenced by both sides of the memcpy() arguments, add a new helper, amdgpu_memcpy_trailing(), to perform the bounds checking at compile time. Replace the open-coded memcpy()s with amdgpu_memcpy_trailing() which includes enough context for the bounds checking. "objdump -d" shows no object code changes. [1] https://lore.kernel.org/lkml/e56aad3c-a06f-da07-f491-a894a570d78f@amd.com Cc: "Christian König" Cc: "Pan, Xinhui" Cc: David Airlie Cc: Daniel Vetter Cc: Hawking Zhang Cc: Feifei Xu Cc: Likun Gao Cc: Jiawei Gu Cc: Evan Quan Cc: amd-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Reviewed-by: Lijo Lazar Acked-by: Alex Deucher Signed-off-by: Kees Cook --- v2: - rename and move helper to drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h - add reviews/acks v1: https://lore.kernel.org/lkml/20210819201441.3545027-1-keescook@chromium.org/ --- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h | 24 +++++++++++++++++++ .../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 6 ++--- .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 8 +++---- .../drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 5 ++-- 5 files changed, 33 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h index dc3c6b3a00e5..c911387045e2 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h @@ -1452,4 +1452,5 @@ static inline int amdgpu_in_reset(struct amdgpu_device *adev) { return atomic_read(&adev->in_gpu_reset); } + #endif diff --git a/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h b/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h index 715b4225f5ee..29031eb11d39 100644 --- a/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h +++ b/drivers/gpu/drm/amd/pm/inc/amdgpu_smu.h @@ -1335,6 +1335,30 @@ enum smu_cmn2asic_mapping_type { #define WORKLOAD_MAP(profile, workload) \ [profile] = {1, (workload)} +/** + * amdgpu_memcpy_trailing - Copy the end of one structure into the middle of another + * + * @dst: Pointer to destination struct + * @first_dst_member: The member name in @dst where the overwrite begins + * @last_dst_member: The member name in @dst where the overwrite ends after + * @src: Pointer to the source struct + * @first_src_member: The member name in @src where the copy begins + * + */ +#define amdgpu_memcpy_trailing(dst, first_dst_member, last_dst_member, \ + src, first_src_member) \ +({ \ + size_t __src_offset = offsetof(typeof(*(src)), first_src_member); \ + size_t __src_size = sizeof(*(src)) - __src_offset; \ + size_t __dst_offset = offsetof(typeof(*(dst)), first_dst_member); \ + size_t __dst_size = offsetofend(typeof(*(dst)), last_dst_member) - \ + __dst_offset; \ + BUILD_BUG_ON(__src_size != __dst_size); \ + __builtin_memcpy((u8 *)(dst) + __dst_offset, \ + (u8 *)(src) + __src_offset, \ + __dst_size); \ +}) + #if !defined(SWSMU_CODE_LAYER_L2) && !defined(SWSMU_CODE_LAYER_L3) && !defined(SWSMU_CODE_LAYER_L4) int smu_get_power_limit(void *handle, uint32_t *limit, diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c index 273df66cac14..bda8fc12c91f 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c @@ -483,10 +483,8 @@ static int arcturus_append_powerplay_table(struct smu_context *smu) if ((smc_dpm_table->table_header.format_revision == 4) && (smc_dpm_table->table_header.content_revision == 6)) - memcpy(&smc_pptable->MaxVoltageStepGfx, - &smc_dpm_table->maxvoltagestepgfx, - sizeof(*smc_dpm_table) - offsetof(struct atom_smc_dpm_info_v4_6, maxvoltagestepgfx)); - + amdgpu_memcpy_trailing(smc_pptable, MaxVoltageStepGfx, BoardReserved, + smc_dpm_table, maxvoltagestepgfx); return 0; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c index f96681700c41..88a4a2aed48e 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c @@ -431,16 +431,16 @@ static int navi10_append_powerplay_table(struct smu_context *smu) switch (smc_dpm_table->table_header.content_revision) { case 5: /* nv10 and nv14 */ - memcpy(smc_pptable->I2cControllers, smc_dpm_table->I2cControllers, - sizeof(*smc_dpm_table) - sizeof(smc_dpm_table->table_header)); + amdgpu_memcpy_trailing(smc_pptable, I2cControllers, BoardReserved, + smc_dpm_table, I2cControllers); break; case 7: /* nv12 */ ret = amdgpu_atombios_get_data_table(adev, index, NULL, NULL, NULL, (uint8_t **)&smc_dpm_table_v4_7); if (ret) return ret; - memcpy(smc_pptable->I2cControllers, smc_dpm_table_v4_7->I2cControllers, - sizeof(*smc_dpm_table_v4_7) - sizeof(smc_dpm_table_v4_7->table_header)); + amdgpu_memcpy_trailing(smc_pptable, I2cControllers, BoardReserved, + smc_dpm_table_v4_7, I2cControllers); break; default: dev_err(smu->adev->dev, "smc_dpm_info with unsupported content revision %d!\n", diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c index ec8c30daf31c..d46b892846f6 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c @@ -409,9 +409,8 @@ static int aldebaran_append_powerplay_table(struct smu_context *smu) if ((smc_dpm_table->table_header.format_revision == 4) && (smc_dpm_table->table_header.content_revision == 10)) - memcpy(&smc_pptable->GfxMaxCurrent, - &smc_dpm_table->GfxMaxCurrent, - sizeof(*smc_dpm_table) - offsetof(struct atom_smc_dpm_info_v4_10, GfxMaxCurrent)); + amdgpu_memcpy_trailing(smc_pptable, GfxMaxCurrent, reserved, + smc_dpm_table, GfxMaxCurrent); return 0; } -- 2.30.2