drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()

Submitted by Christian König on June 8, 2019, 12:37 p.m.


Message ID 3bcce070-801d-7cac-bfea-75858e610a3f@amd.com
State New
Headers show
Series "drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()" ( rev: 3 ) in AMD X.Org drivers

Not browsing as part of any series.

Commit Message

Christian König June 8, 2019, 12:37 p.m.
Yes, that is undefined behavior what you do here.

See here as well https://stackoverflow.com/questions/11270492/what-does-the-c-standard-say-about-bitshifting-more-bits-than-the-width-of-type.


Am 08.06.19 um 14:27 schrieb Pan, Xinhui:
do you mean that something like 1<<65 might be a none zero value?
From: Dan Carpenter <dan.carpenter@oracle.com><mailto:dan.carpenter@oracle.com>

Sent: Saturday, June 8, 2019 5:23:57 PM
To: Deucher, Alexander; Pan, Xinhui
Cc: Koenig, Christian; Zhou, David(ChunMing); David Airlie; Daniel Vetter; Quan, Evan; Zhu, James; amd-gfx@lists.freedesktop.org<mailto:amd-gfx@lists.freedesktop.org>; dri-devel@lists.freedesktop.org<mailto:dri-devel@lists.freedesktop.org>; kernel-janitors@vger.kernel.org<mailto:kernel-janitors@vger.kernel.org>
Subject: [PATCH] drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()

The "block" variable can be set by the user through debugfs, so it can
be quite large which leads to shift wrapping here.  This means we report
a "block" as supported when it's not, and that leads to array overflows
later on.

This bug is not really a security issue in real life, because debugfs is
generally root only.

Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com><mailto:dan.carpenter@oracle.com>

 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 2 ++
 1 file changed, 2 insertions(+)


Patch hide | download patch | download mbox

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
index c6b34fbd695f..94c652f5265a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
@@ -173,6 +173,8 @@  static inline int amdgpu_ras_is_supported(struct amdgpu_device *adev,
         struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);

+       if (block >= AMDGPU_RAS_BLOCK_COUNT)
+               return 0;
         return ras && (ras->supported & (1 << block));