BugLink: https://launchpad.net/bugs/1852141
When a jump_whitelist bitmap is reused, it needs to be cleared.
Currently this is done with memset() and the size calculation assumes
bitmaps are made of 32-bit words, not longs. So on 64-bit
architectures, only the first half of the bitmap is cleared.
If some whitelist bits are carried over between successive batches
submitted on the same context, this will presumably allow embedding
the rogue instructions that we're trying to reject.
Use bitmap_zero() instead, which gets the calculation right.
Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2019-0155
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
return;
if (batch_cmds <= ctx->jump_whitelist_cmds) {
- memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32));
+ bitmap_zero(ctx->jump_whitelist, batch_cmds);
return;
}
}
DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n");
- memset(ctx->jump_whitelist, 0,
- BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32));
+ bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds);
return;
}