| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191219183147.737569155@linuxfoundation.org>
Date: Thu, 19 Dec 2019 19:35:10 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
Alex Williamson <alex.williamson@...hat.com>,
Gao Fred <fred.gao@...el.com>,
Zhenyu Wang <zhenyuw@...ux.intel.com>
Subject: [PATCH 5.4 78/80] drm/i915/gvt: Fix cmd length check for MI_ATOMIC
From: Zhenyu Wang <zhenyuw@...ux.intel.com>
commit 92b1aa773fadb4e2a90ed5d3beecb422d568ad9a upstream.
Correct valid command length check for MI_ATOMIC, need to check inline
data available field instead of operand data length for whole command.
Fixes: 00a33be40634 ("drm/i915/gvt: Add valid length check for MI variable commands")
Reported-by: Alex Williamson <alex.williamson@...hat.com>
Acked-by: Gao Fred <fred.gao@...el.com>
Cc: stable@...r.kernel.org
Signed-off-by: Zhenyu Wang <zhenyuw@...ux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/gpu/drm/i915/gvt/cmd_parser.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -1597,9 +1597,9 @@ static int cmd_handler_mi_op_2f(struct p
if (!(cmd_val(s, 0) & (1 << 22)))
return ret;
- /* check if QWORD */
- if (DWORD_FIELD(0, 20, 19) == 1)
- valid_len += 8;
+ /* check inline data */
+ if (cmd_val(s, 0) & BIT(18))
+ valid_len = CMD_LEN(9);
ret = gvt_check_valid_cmd_length(cmd_length(s),
valid_len);
if (ret)
Powered by blists - more mailing lists