From patchwork Sun Dec 13 18:39:25 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "Souza, Jose" <jose.souza@intel.com>
X-Patchwork-Id: 11970933
Return-Path: <SRS0=c36g=FR=lists.freedesktop.org=intel-gfx-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 60D6BC4361B
	for <intel-gfx@archiver.kernel.org>; Sun, 13 Dec 2020 18:39:28 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 2443C23123
	for <intel-gfx@archiver.kernel.org>; Sun, 13 Dec 2020 18:39:28 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2443C23123
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=intel.com
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 94FB589C61;
	Sun, 13 Dec 2020 18:39:23 +0000 (UTC)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by gabe.freedesktop.org (Postfix) with ESMTPS id C2BD389C59;
 Sun, 13 Dec 2020 18:39:20 +0000 (UTC)
IronPort-SDR: 
 3Ncc2Apa2ouhtjQoxHvs7GMVpu/zTsBgHFyGWv6dG0rKEqj6Ea+dzOL/xE9YxanD8T/bKjI3f8
 rj+SR/WyI38g==
X-IronPort-AV: E=McAfee;i="6000,8403,9834"; a="172054605"
X-IronPort-AV: E=Sophos;i="5.78,416,1599548400"; d="scan'208";a="172054605"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 13 Dec 2020 10:39:20 -0800
IronPort-SDR: 
 Wj21kFTfXDi8B5Vz1b8OBy0RKtdUCfLolIN1cFr8pvqF0T4aHbXCgaWFnQiapojtUSKENhW1Id
 aJVUp6b4no0g==
X-IronPort-AV: E=Sophos;i="5.78,416,1599548400"; d="scan'208";a="410649972"
Received: from ihazan-mobl1.ger.corp.intel.com (HELO josouza-mobl2.intel.com)
 ([10.255.70.79])
 by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 13 Dec 2020 10:39:16 -0800
From: =?utf-8?q?Jos=C3=A9_Roberto_de_Souza?= <jose.souza@intel.com>
To: intel-gfx@lists.freedesktop.org
Date: Sun, 13 Dec 2020 10:39:25 -0800
Message-Id: <20201213183930.349592-1-jose.souza@intel.com>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Subject: [Intel-gfx] [PATCH v5 1/6] drm/damage_helper: Check if damage clips
 has valid values
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Intel graphics driver community testing & development
 <intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Cc: Simon Ser <contact@emersion.fr>, dri-devel@lists.freedesktop.org,
 Sean Paul <seanpaul@chromium.org>, Deepak Rawat <drawat@vmware.com>,
 Fabio Estevam <festevam@gmail.com>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>

Userspace can set a damage clip with a negative coordinate, negative
width or height or larger than the plane.
This invalid values could cause issues in some HW or even worst enable
security flaws.

v2:
- add debug messages to let userspace know why atomic commit failed
due invalid damage clips

Cc: Simon Ser <contact@emersion.fr>
Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Deepak Rawat <drawat@vmware.com>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
---
 drivers/gpu/drm/drm_atomic_helper.c |  4 +-
 drivers/gpu/drm/drm_damage_helper.c | 59 ++++++++++++++++++++++++-----
 include/drm/drm_damage_helper.h     |  4 +-
 3 files changed, 55 insertions(+), 12 deletions(-)

diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index ba1507036f26..c6b341ecae2c 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -897,7 +897,9 @@ drm_atomic_helper_check_planes(struct drm_device *dev,
 
 		drm_atomic_helper_plane_changed(state, old_plane_state, new_plane_state, plane);
 
-		drm_atomic_helper_check_plane_damage(state, new_plane_state);
+		ret = drm_atomic_helper_check_plane_damage(state, new_plane_state);
+		if (ret)
+			return ret;
 
 		if (!funcs || !funcs->atomic_check)
 			continue;
diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
index 3a4126dc2520..69a557aaa8cf 100644
--- a/drivers/gpu/drm/drm_damage_helper.c
+++ b/drivers/gpu/drm/drm_damage_helper.c
@@ -33,6 +33,7 @@
 #include <drm/drm_atomic.h>
 #include <drm/drm_damage_helper.h>
 #include <drm/drm_device.h>
+#include <drm/drm_print.h>
 
 /**
  * DOC: overview
@@ -104,36 +105,76 @@ void drm_plane_enable_fb_damage_clips(struct drm_plane *plane)
 EXPORT_SYMBOL(drm_plane_enable_fb_damage_clips);
 
 /**
- * drm_atomic_helper_check_plane_damage - Verify plane damage on atomic_check.
+ * drm_atomic_helper_check_plane_damage - Verify plane damage clips on
+ * atomic_check.
  * @state: The driver state object.
- * @plane_state: Plane state for which to verify damage.
+ * @plane_state: Plane state for which to verify damage clips.
  *
- * This helper function makes sure that damage from plane state is discarded
- * for full modeset. If there are more reasons a driver would want to do a full
- * plane update rather than processing individual damage regions, then those
- * cases should be taken care of here.
+ * This helper checks if all damage clips has valid values and makes sure that
+ * damage clips from plane state is discarded for full modeset. If there are
+ * more reasons a driver would want to do a full plane update rather than
+ * processing individual damage regions, then those cases should be taken care
+ * of here.
  *
  * Note that &drm_plane_state.fb_damage_clips == NULL in plane state means that
  * full plane update should happen. It also ensure helper iterator will return
  * &drm_plane_state.src as damage.
+ *
+ * Return: Zero on success, negative errno on failure.
  */
-void drm_atomic_helper_check_plane_damage(struct drm_atomic_state *state,
-					  struct drm_plane_state *plane_state)
+int drm_atomic_helper_check_plane_damage(struct drm_atomic_state *state,
+					 struct drm_plane_state *plane_state)
 {
+	struct drm_mode_rect *damage_clips;
 	struct drm_crtc_state *crtc_state;
+	unsigned int num_clips, w, h;
+
+	num_clips = drm_plane_get_damage_clips_count(plane_state);
+	if (!num_clips)
+		return 0;
 
 	if (plane_state->crtc) {
 		crtc_state = drm_atomic_get_new_crtc_state(state,
 							   plane_state->crtc);
 
 		if (WARN_ON(!crtc_state))
-			return;
+			return 0;
 
 		if (drm_atomic_crtc_needs_modeset(crtc_state)) {
 			drm_property_blob_put(plane_state->fb_damage_clips);
 			plane_state->fb_damage_clips = NULL;
+			return 0;
+		}
+	}
+
+	w = drm_rect_width(&plane_state->src) >> 16;
+	h = drm_rect_height(&plane_state->src) >> 16;
+	damage_clips = drm_plane_get_damage_clips(plane_state);
+
+	for (; num_clips; num_clips--, damage_clips++) {
+		if (damage_clips->x1 < 0 || damage_clips->x2 < 0 ||
+		    damage_clips->y1 < 0 || damage_clips->y2 < 0) {
+			drm_dbg_atomic(state->dev,
+				       "Invalid damage clip, negative coordinate\n");
+			return -EINVAL;
+		}
+
+		if (damage_clips->x2 < damage_clips->x1 ||
+		    damage_clips->y2 < damage_clips->y1) {
+			drm_dbg_atomic(state->dev,
+				       "Invalid damage clip, negative width or height\n");
+			return -EINVAL;
+		}
+
+		if ((damage_clips->x2 - damage_clips->x1) > w ||
+		    (damage_clips->y2 - damage_clips->y1) > h) {
+			drm_dbg_atomic(state->dev,
+				       "Invalid damage clip, width or height larger than plane\n");
+			return -EINVAL;
 		}
 	}
+
+	return 0;
 }
 EXPORT_SYMBOL(drm_atomic_helper_check_plane_damage);
 
diff --git a/include/drm/drm_damage_helper.h b/include/drm/drm_damage_helper.h
index 40c34a5bf149..5e344d1a2b22 100644
--- a/include/drm/drm_damage_helper.h
+++ b/include/drm/drm_damage_helper.h
@@ -65,8 +65,8 @@ struct drm_atomic_helper_damage_iter {
 };
 
 void drm_plane_enable_fb_damage_clips(struct drm_plane *plane);
-void drm_atomic_helper_check_plane_damage(struct drm_atomic_state *state,
-					  struct drm_plane_state *plane_state);
+int drm_atomic_helper_check_plane_damage(struct drm_atomic_state *state,
+					 struct drm_plane_state *plane_state);
 int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
 			      struct drm_file *file_priv, unsigned int flags,
 			      unsigned int color, struct drm_clip_rect *clips,