[v3] intel/decoder: fix the possible out of bounds group_iter

Submitted by andrey simiklit on Aug. 20, 2018, 4:20 p.m.

Details

Message ID 1534782059-21893-1-git-send-email-asimiklit.work@gmail.com
State New
Headers show
Series "intel/decoder: fix the possible out of bounds group_iter" ( rev: 3 ) in Mesa

Not browsing as part of any series.

Commit Message

andrey simiklit Aug. 20, 2018, 4:20 p.m.
From: Andrii Simiklit <andrii.simiklit@globallogic.com>

The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.

v2: printing of "unknown command type" was added
v3: just the asserts are added

Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com>
---
 src/intel/common/gen_decoder.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
index ec0a486..2d9609a 100644
--- a/src/intel/common/gen_decoder.c
+++ b/src/intel/common/gen_decoder.c
@@ -803,8 +803,10 @@  static bool
 iter_more_groups(const struct gen_field_iterator *iter)
 {
    if (iter->group->variable) {
+      int length = gen_group_get_length(iter->group, iter->p);
+      assert(length >= 0 && "error the length is unknown!");
       return iter_group_offset_bits(iter, iter->group_iter + 1) <
-              (gen_group_get_length(iter->group, iter->p) * 32);
+              (length * 32);
    } else {
       return (iter->group_iter + 1) < iter->group->group_count ||
          iter->group->next != NULL;
@@ -991,6 +993,7 @@  gen_field_iterator_init(struct gen_field_iterator *iter,
    iter->p_bit = p_bit;
 
    int length = gen_group_get_length(iter->group, iter->p);
+   assert(length >= 0 && "error the length is unknown!");
    iter->p_end = length > 0 ? &p[length] : NULL;
    iter->print_colors = print_colors;
 }

Comments

On 20/08/2018 17:20, asimiklit.work@gmail.com wrote:
> From: Andrii Simiklit <andrii.simiklit@globallogic.com>
>
> The "gen_group_get_length" function can return a negative value
> and it can lead to the out of bounds group_iter.
>
> v2: printing of "unknown command type" was added
> v3: just the asserts are added
>
> Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com>

Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>

Somebody should take a look at the other patches I sent out ;)
Thanks!

-
Lionel
> ---
>   src/intel/common/gen_decoder.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
> index ec0a486..2d9609a 100644
> --- a/src/intel/common/gen_decoder.c
> +++ b/src/intel/common/gen_decoder.c
> @@ -803,8 +803,10 @@ static bool
>   iter_more_groups(const struct gen_field_iterator *iter)
>   {
>      if (iter->group->variable) {
> +      int length = gen_group_get_length(iter->group, iter->p);
> +      assert(length >= 0 && "error the length is unknown!");
>         return iter_group_offset_bits(iter, iter->group_iter + 1) <
> -              (gen_group_get_length(iter->group, iter->p) * 32);
> +              (length * 32);
>      } else {
>         return (iter->group_iter + 1) < iter->group->group_count ||
>            iter->group->next != NULL;
> @@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator *iter,
>      iter->p_bit = p_bit;
>   
>      int length = gen_group_get_length(iter->group, iter->p);
> +   assert(length >= 0 && "error the length is unknown!");
>      iter->p_end = length > 0 ? &p[length] : NULL;
>      iter->print_colors = print_colors;
>   }
Hi all,

Could somebody push this small patch to mesa?

Regards,
Andrii.
On Mon, Aug 20, 2018 at 9:13 PM Lionel Landwerlin <
lionel.g.landwerlin@intel.com> wrote:

> On 20/08/2018 17:20, asimiklit.work@gmail.com wrote:
> > From: Andrii Simiklit <andrii.simiklit@globallogic.com>
> >
> > The "gen_group_get_length" function can return a negative value
> > and it can lead to the out of bounds group_iter.
> >
> > v2: printing of "unknown command type" was added
> > v3: just the asserts are added
> >
> > Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com>
>
> Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
>
> Somebody should take a look at the other patches I sent out ;)
> Thanks!
>
> -
> Lionel
> > ---
> >   src/intel/common/gen_decoder.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/intel/common/gen_decoder.c
> b/src/intel/common/gen_decoder.c
> > index ec0a486..2d9609a 100644
> > --- a/src/intel/common/gen_decoder.c
> > +++ b/src/intel/common/gen_decoder.c
> > @@ -803,8 +803,10 @@ static bool
> >   iter_more_groups(const struct gen_field_iterator *iter)
> >   {
> >      if (iter->group->variable) {
> > +      int length = gen_group_get_length(iter->group, iter->p);
> > +      assert(length >= 0 && "error the length is unknown!");
> >         return iter_group_offset_bits(iter, iter->group_iter + 1) <
> > -              (gen_group_get_length(iter->group, iter->p) * 32);
> > +              (length * 32);
> >      } else {
> >         return (iter->group_iter + 1) < iter->group->group_count ||
> >            iter->group->next != NULL;
> > @@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator
> *iter,
> >      iter->p_bit = p_bit;
> >
> >      int length = gen_group_get_length(iter->group, iter->p);
> > +   assert(length >= 0 && "error the length is unknown!");
> >      iter->p_end = length > 0 ? &p[length] : NULL;
> >      iter->print_colors = print_colors;
> >   }
>
>
>
Done.

-
Lionel

On 03/09/2018 08:55, andrey simiklit wrote:
> Hi all,
>
> Could somebody push this small patch to mesa?
>
> Regards,
> Andrii.
> On Mon, Aug 20, 2018 at 9:13 PM Lionel Landwerlin 
> <lionel.g.landwerlin@intel.com <mailto:lionel.g.landwerlin@intel.com>> 
> wrote:
>
>     On 20/08/2018 17:20, asimiklit.work@gmail.com
>     <mailto:asimiklit.work@gmail.com> wrote:
>     > From: Andrii Simiklit <andrii.simiklit@globallogic.com
>     <mailto:andrii.simiklit@globallogic.com>>
>     >
>     > The "gen_group_get_length" function can return a negative value
>     > and it can lead to the out of bounds group_iter.
>     >
>     > v2: printing of "unknown command type" was added
>     > v3: just the asserts are added
>     >
>     > Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com
>     <mailto:andrii.simiklit@globallogic.com>>
>
>     Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com
>     <mailto:lionel.g.landwerlin@intel.com>>
>
>     Somebody should take a look at the other patches I sent out ;)
>     Thanks!
>
>     -
>     Lionel
>     > ---
>     >   src/intel/common/gen_decoder.c | 5 ++++-
>     >   1 file changed, 4 insertions(+), 1 deletion(-)
>     >
>     > diff --git a/src/intel/common/gen_decoder.c
>     b/src/intel/common/gen_decoder.c
>     > index ec0a486..2d9609a 100644
>     > --- a/src/intel/common/gen_decoder.c
>     > +++ b/src/intel/common/gen_decoder.c
>     > @@ -803,8 +803,10 @@ static bool
>     >   iter_more_groups(const struct gen_field_iterator *iter)
>     >   {
>     >      if (iter->group->variable) {
>     > +      int length = gen_group_get_length(iter->group, iter->p);
>     > +      assert(length >= 0 && "error the length is unknown!");
>     >         return iter_group_offset_bits(iter, iter->group_iter + 1) <
>     > - (gen_group_get_length(iter->group, iter->p) * 32);
>     > +              (length * 32);
>     >      } else {
>     >         return (iter->group_iter + 1) < iter->group->group_count ||
>     >            iter->group->next != NULL;
>     > @@ -991,6 +993,7 @@ gen_field_iterator_init(struct
>     gen_field_iterator *iter,
>     >      iter->p_bit = p_bit;
>     >
>     >      int length = gen_group_get_length(iter->group, iter->p);
>     > +   assert(length >= 0 && "error the length is unknown!");
>     >      iter->p_end = length > 0 ? &p[length] : NULL;
>     >      iter->print_colors = print_colors;
>     >   }
>
>
Hi,

Thanks a lot.

Regards,
Andrii.

On Mon, Sep 3, 2018 at 1:16 PM Lionel Landwerlin <
lionel.g.landwerlin@intel.com> wrote:

> Done.
>
> -
> Lionel
>
> On 03/09/2018 08:55, andrey simiklit wrote:
>
> Hi all,
>
> Could somebody push this small patch to mesa?
>
> Regards,
> Andrii.
> On Mon, Aug 20, 2018 at 9:13 PM Lionel Landwerlin <
> lionel.g.landwerlin@intel.com> wrote:
>
>> On 20/08/2018 17:20, asimiklit.work@gmail.com wrote:
>> > From: Andrii Simiklit <andrii.simiklit@globallogic.com>
>> >
>> > The "gen_group_get_length" function can return a negative value
>> > and it can lead to the out of bounds group_iter.
>> >
>> > v2: printing of "unknown command type" was added
>> > v3: just the asserts are added
>> >
>> > Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com>
>>
>> Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
>>
>> Somebody should take a look at the other patches I sent out ;)
>> Thanks!
>>
>> -
>> Lionel
>> > ---
>> >   src/intel/common/gen_decoder.c | 5 ++++-
>> >   1 file changed, 4 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/src/intel/common/gen_decoder.c
>> b/src/intel/common/gen_decoder.c
>> > index ec0a486..2d9609a 100644
>> > --- a/src/intel/common/gen_decoder.c
>> > +++ b/src/intel/common/gen_decoder.c
>> > @@ -803,8 +803,10 @@ static bool
>> >   iter_more_groups(const struct gen_field_iterator *iter)
>> >   {
>> >      if (iter->group->variable) {
>> > +      int length = gen_group_get_length(iter->group, iter->p);
>> > +      assert(length >= 0 && "error the length is unknown!");
>> >         return iter_group_offset_bits(iter, iter->group_iter + 1) <
>> > -              (gen_group_get_length(iter->group, iter->p) * 32);
>> > +              (length * 32);
>> >      } else {
>> >         return (iter->group_iter + 1) < iter->group->group_count ||
>> >            iter->group->next != NULL;
>> > @@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator
>> *iter,
>> >      iter->p_bit = p_bit;
>> >
>> >      int length = gen_group_get_length(iter->group, iter->p);
>> > +   assert(length >= 0 && "error the length is unknown!");
>> >      iter->p_end = length > 0 ? &p[length] : NULL;
>> >      iter->print_colors = print_colors;
>> >   }
>>
>>
>>
>