]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
UBUNTU: SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing
authorBen Hutchings <ben@decadent.org.uk>
Sun, 10 Nov 2019 22:38:00 +0000 (22:38 +0000)
committerStefan Bader <stefan.bader@canonical.com>
Tue, 12 Nov 2019 08:45:15 +0000 (09:45 +0100)
BugLink: https://launchpad.net/bugs/1852141
When a jump_whitelist bitmap is reused, it needs to be cleared.
Currently this is done with memset() and the size calculation assumes
bitmaps are made of 32-bit words, not longs.  So on 64-bit
architectures, only the first half of the bitmap is cleared.

If some whitelist bits are carried over between successive batches
submitted on the same context, this will presumably allow embedding
the rogue instructions that we're trying to reject.

Use bitmap_zero() instead, which gets the calculation right.

Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2019-0155

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
drivers/gpu/drm/i915/i915_cmd_parser.c

index efb6d0727eeacfd0a9fade5ca79690757c0d7092..a412e346b29ca0382a9bb50fb5539857e8ecb105 100644 (file)
@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_gem_context *ctx, u32 batch_len)
                return;
 
        if (batch_cmds <= ctx->jump_whitelist_cmds) {
-               memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32));
+               bitmap_zero(ctx->jump_whitelist, batch_cmds);
                return;
        }
 
@@ -1394,8 +1394,7 @@ again:
        }
 
        DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n");
-       memset(ctx->jump_whitelist, 0,
-              BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32));
+       bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds);
 
        return;
 }