On Sat, Nov 08, 2014 at 11:51:30PM +0100, Glenn Kennard wrote:
Signed-off-by: Glenn Kennard glenn.kennard@gmail.com
NAK insecure. This is missing any kind of boundary checking for the indirect buffer and thus can be abuse.
See patch sent to mesa-dev@lists.freedesktop.org for userspace usage.
drivers/gpu/drm/radeon/evergreen_cs.c | 76 +++++++++++++++++++++++++++++++++++ drivers/gpu/drm/radeon/evergreend.h | 1 + drivers/gpu/drm/radeon/radeon_drv.c | 3 +- 3 files changed, 79 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c index 5c8b358..6173df3 100644 --- a/drivers/gpu/drm/radeon/evergreen_cs.c +++ b/drivers/gpu/drm/radeon/evergreen_cs.c @@ -1896,6 +1896,19 @@ static int evergreen_packet3_check(struct radeon_cs_parser *p, } break; }
- case PACKET3_INDEX_BUFFER_SIZE:
- {
if (pkt->count != 0) {DRM_ERROR("bad INDEX_BUFFER_SIZE\n");return -EINVAL;}r = evergreen_cs_track_check(p);if (r) {dev_warn(p->dev, "%s:%d invalid cmd stream\n", __func__, __LINE__);return r;}break;- } case PACKET3_DRAW_INDEX: { uint64_t offset;
@@ -2006,6 +2019,68 @@ static int evergreen_packet3_check(struct radeon_cs_parser *p, return r; } break;
- case PACKET3_SET_BASE:
- {
/*DW 1 HEADER Header of the packet. Shader_Type in bit 1 of the Header will correspond to the shader type of the Load, see Type-3 Packet.2 BASE_INDEX Bits [3:0] BASE_INDEX - Base Index specifies which base address is specified in the last two DWs.0001: DX11 Draw_Index_Indirect Patch Table Base: Base address for Draw_Index_Indirect data.3 ADDRESS_LO Bits [31:3] - Lower bits of QWORD-Aligned Address. Bits [2:0] - Reserved4 ADDRESS_HI Bits [31:8] - Reserved. Bits [7:0] - Upper bits of Address [47:32]*/uint64_t offset;if (pkt->count != 2) {DRM_ERROR("bad SET_BASE\n");return -EINVAL;}/* currently only supporting setting indirect draw buffer base address */if (radeon_get_ib_value(p, idx) != 1) {DRM_ERROR("bad SET_BASE\n");return -EINVAL;}r = radeon_cs_packet_next_reloc(p, &reloc, 0);if (r) {DRM_ERROR("bad SET_BASE\n");return -EINVAL;}offset = reloc->gpu_offset +radeon_get_ib_value(p, idx+1) +((u64)(radeon_get_ib_value(p, idx+2) & 0xff) << 32);ib[idx+1] = offset;ib[idx+2] = upper_32_bits(offset) & 0xff;r = evergreen_cs_track_check(p);if (r) {dev_warn(p->dev, "%s:%d invalid cmd stream\n", __func__, __LINE__);return r;}break;- }
- case PACKET3_DRAW_INDIRECT:
- case PACKET3_DRAW_INDEX_INDIRECT:
- case PACKET3_DRAW_INDIRECT_MULTI:
- {
/*DW 1 HEADER2 DATA_OFFSET Bits [31:0] + byte aligned offset where the required data structure starts. Bits 1:0 are zero3 DRAW_INITIATOR Draw Initiator Register. Written to the VGT_DRAW_INITIATOR register for the assigned context*/if (pkt->count != 1) {DRM_ERROR("bad DRAW_INDIRECT\n");return -EINVAL;}r = evergreen_cs_track_check(p);if (r) {dev_warn(p->dev, "%s:%d invalid cmd stream\n", __func__, __LINE__);return r;}break;- } case PACKET3_DISPATCH_DIRECT: if (pkt->count != 3) { DRM_ERROR("bad DISPATCH_DIRECT\n");
@@ -3260,6 +3335,7 @@ static int evergreen_vm_packet3_check(struct radeon_device *rdev, case PACKET3_DRAW_INDEX_OFFSET: case PACKET3_INDEX_TYPE: case PACKET3_DRAW_INDEX:
- case PACKET3_DRAW_INDIRECT_MULTI: case PACKET3_DRAW_INDEX_AUTO: case PACKET3_DRAW_INDEX_IMMD: case PACKET3_NUM_INSTANCES:
diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h index b066d67..5d4c5f2 100644 --- a/drivers/gpu/drm/radeon/evergreend.h +++ b/drivers/gpu/drm/radeon/evergreend.h @@ -1553,6 +1553,7 @@ #define PACKET3_DRAW_INDEX_OFFSET 0x29 #define PACKET3_INDEX_TYPE 0x2A #define PACKET3_DRAW_INDEX 0x2B +#define PACKET3_DRAW_INDIRECT_MULTI 0x2C #define PACKET3_DRAW_INDEX_AUTO 0x2D #define PACKET3_DRAW_INDEX_IMMD 0x2E #define PACKET3_NUM_INSTANCES 0x2F diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c index dcffa30..fbd1f73 100644 --- a/drivers/gpu/drm/radeon/radeon_drv.c +++ b/drivers/gpu/drm/radeon/radeon_drv.c @@ -86,9 +86,10 @@
- 2.39.0 - Add INFO query for number of active CUs
- 2.40.0 - Add RADEON_GEM_GTT_WC/UC, flush HDP cache before submitting
CS to GPU on >= r600
*/
- 2.41.0 - evergreen/cayman: Add SET_BASE/DRAW_INDIRECT command parsing support
#define KMS_DRIVER_MAJOR 2 -#define KMS_DRIVER_MINOR 40 +#define KMS_DRIVER_MINOR 41 #define KMS_DRIVER_PATCHLEVEL 0 int radeon_driver_load_kms(struct drm_device *dev, unsigned long flags); int radeon_driver_unload_kms(struct drm_device *dev); -- 1.9.1
dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel