| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Nov 2023 07:41:40 +0100
From: Christian König <christian.koenig@....com>
To: Alex Deucher <alexdeucher@...il.com>
Cc: Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
Alex Deucher <alexander.deucher@....com>,
"Pan, Xinhui" <Xinhui.Pan@....com>, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org, amd-gfx@...ts.freedesktop.org
Subject: Re: [PATCH] drm/radeon/r600_cs: Fix possible int overflows in
r600_cs_check_reg()
Am 29.11.23 um 17:03 schrieb Alex Deucher:
> On Wed, Nov 29, 2023 at 10:47 AM Christian König
> <christian.koenig@....com> wrote:
>> Am 29.11.23 um 16:22 schrieb Nikita Zhandarovich:
>>> While improbable, there may be a chance of hitting integer
>>> overflow when the result of radeon_get_ib_value() gets shifted
>>> left.
>>>
>>> Avoid it by casting one of the operands to larger data type (u64).
>>>
>>> Found by Linux Verification Center (linuxtesting.org) with static
>>> analysis tool SVACE.
>> Well IIRC cb_color_bo_offset is just 32bits anyway, so this doesn't
>> change anything.
> All of the GPU addresses in the structure are u64. The registers are
> 32 bits which is why they are 256 byte aligned. That said, I think
> the MC on the chips supported by this code are only 32 bits so we
> shouldn't see any addresses greater than 32 bits, but this seems like
> good to do from a coding perspective. Otherwise, we'll keep getting
> this patch.
Just double checked it, in evergreen_cs_track the fields are just
32bits, but in r600_cs_track they are 64bits.
No idea if we every used the full address space, but it's probably a
good point to merge it just to silence the static checker warning.
Christian.
>
> Alex
>
>
> Alex
>
>> Regards,
>> Christian.
>>
>>> Fixes: 1729dd33d20b ("drm/radeon/kms: r600 CS parser fixes")
>>> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
>>> ---
>>> drivers/gpu/drm/radeon/r600_cs.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
>>> index 638f861af80f..6cf54a747749 100644
>>> --- a/drivers/gpu/drm/radeon/r600_cs.c
>>> +++ b/drivers/gpu/drm/radeon/r600_cs.c
>>> @@ -1275,7 +1275,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx)
>>> return -EINVAL;
>>> }
>>> tmp = (reg - CB_COLOR0_BASE) / 4;
>>> - track->cb_color_bo_offset[tmp] = radeon_get_ib_value(p, idx) << 8;
>>> + track->cb_color_bo_offset[tmp] = (u64)radeon_get_ib_value(p, idx) << 8;
>>> ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
>>> track->cb_color_base_last[tmp] = ib[idx];
>>> track->cb_color_bo[tmp] = reloc->robj;
>>> @@ -1302,7 +1302,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx)
>>> "0x%04X\n", reg);
>>> return -EINVAL;
>>> }
>>> - track->htile_offset = radeon_get_ib_value(p, idx) << 8;
>>> + track->htile_offset = (u64)radeon_get_ib_value(p, idx) << 8;
>>> ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
>>> track->htile_bo = reloc->robj;
>>> track->db_dirty = true;
Powered by blists - more mailing lists