From patchwork Thu Apr  2 15:29:20 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lucas Stach <l.stach@pengutronix.de>
X-Patchwork-Id: 6149321
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 750999F725
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu,  2 Apr 2015 15:31:27 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A9353203AC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu,  2 Apr 2015 15:31:23 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id D0AF6203AB
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu,  2 Apr 2015 15:31:22 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 669CC6EA4F;
	Thu,  2 Apr 2015 08:30:59 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de
	[92.198.50.35])
	by gabe.freedesktop.org (Postfix) with ESMTP id CB46F6EA43
	for <dri-devel@lists.freedesktop.org>;
	Thu,  2 Apr 2015 08:30:56 -0700 (PDT)
Received: from dude.hi.4.pengutronix.de ([10.1.0.7]
	helo=dude.pengutronix.de.)
	by metis.ext.pengutronix.de with esmtp (Exim 4.72)
	(envelope-from <l.stach@pengutronix.de>)
	id 1Ydh56-0005OD-2b; Thu, 02 Apr 2015 17:30:56 +0200
From: Lucas Stach <l.stach@pengutronix.de>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH RFC 018/111] staging: etnaviv: validation: improve relocation
	validation
Date: Thu,  2 Apr 2015 17:29:20 +0200
Message-Id: <1427988653-754-19-git-send-email-l.stach@pengutronix.de>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1427988653-754-1-git-send-email-l.stach@pengutronix.de>
References: <1427988653-754-1-git-send-email-l.stach@pengutronix.de>
X-SA-Exim-Connect-IP: 10.1.0.7
X-SA-Exim-Mail-From: l.stach@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
	SAEximRunCond expanded to false
X-PTX-Original-Recipient: dri-devel@lists.freedesktop.org
Cc: Russell King <linux@arm.linux.org.uk>, kernel@pengutronix.de
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Russell King <rmk+kernel@arm.linux.org.uk>

Currently, relocations can apply an unbounded amount of offset to the
address member.  This permits the offset to be used to access memory
outside of the associated buffer.

Ensure that the offset is within the size of the object.  This is not
a complete fix, as we are unaware of the size of the GPU rectangles
operation, but this at least ensures that we catch this form of abuse.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
---
 drivers/staging/etnaviv/etnaviv_gem_submit.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/etnaviv/etnaviv_gem_submit.c b/drivers/staging/etnaviv/etnaviv_gem_submit.c
index 39ae61ab43fd..78c56adfcffc 100644
--- a/drivers/staging/etnaviv/etnaviv_gem_submit.c
+++ b/drivers/staging/etnaviv/etnaviv_gem_submit.c
@@ -245,6 +245,7 @@ static int submit_reloc(struct etnaviv_gem_submit *submit, struct etnaviv_gem_ob
 
 	for (i = 0; i < nr_relocs; i++) {
 		struct drm_etnaviv_gem_submit_reloc submit_reloc;
+		struct etnaviv_gem_object *bobj;
 		void __user *userptr =
 			to_user_ptr(relocs + (i * sizeof(submit_reloc)));
 		uint32_t iova, off;
@@ -269,13 +270,20 @@ static int submit_reloc(struct etnaviv_gem_submit *submit, struct etnaviv_gem_ob
 			return -EINVAL;
 		}
 
-		ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid);
+		ret = submit_bo(submit, submit_reloc.reloc_idx, &bobj,
+				&iova, &valid);
 		if (ret)
 			return ret;
 
 		if (valid)
 			continue;
 
+		if (submit_reloc.reloc_offset >=
+		    bobj->base.size - sizeof(*ptr)) {
+			DRM_ERROR("relocation %u outside object", i);
+			return -EINVAL;
+		}
+
 		iova += submit_reloc.reloc_offset;
 
 		if (submit_reloc.shift < 0)