Emil Velikov
2011-Jun-11 12:30 UTC
[Nouveau] [PATCH] drm/nouveau/pm: Prevent overflow in nouveau_perf_init()
While parsing the perf table, there is no check if
the num of entries read from the vbios is less than
the currently allocated number.
In case of a buggy vbios this will cause overwriting
of kernel memory, causing aditional problems.
Add a simple check in order to prevent the case
Signed-off-by: Emil Velikov <emil.l.velikov at gmail.com>
---
drivers/gpu/drm/nouveau/nouveau_perf.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_perf.c
b/drivers/gpu/drm/nouveau/nouveau_perf.c
index f2d98c9..b0e995f 100644
--- a/drivers/gpu/drm/nouveau/nouveau_perf.c
+++ b/drivers/gpu/drm/nouveau/nouveau_perf.c
@@ -225,6 +225,11 @@ nouveau_perf_init(struct drm_device *dev)
entries = perf[2];
}
+ if (entries > NOUVEAU_PM_MAX_LEVEL) {
+ NV_DEBUG(dev, "perf table has too many entries - buggy vbios?\n");
+ entries = NOUVEAU_PM_MAX_LEVEL;
+ }
+
entry = perf + headerlen;
for (i = 0; i < entries; i++) {
struct nouveau_pm_level *perflvl = &pm->perflvl[pm->nr_perflvl];
--
1.7.1
Martin Peres
2011-Jun-11 14:20 UTC
[Nouveau] [PATCH] drm/nouveau/pm: Prevent overflow in nouveau_perf_init()
Le 11/06/2011 14:30, Emil Velikov a ?crit :> + if (entries> NOUVEAU_PM_MAX_LEVEL) { > + NV_DEBUG(dev, "perf table has too many entries - buggy vbios?\n"); > + entries = NOUVEAU_PM_MAX_LEVEL; > + } > +I would suggest using NV_ERROR or INFO. How will we get buggy vbios if we don't warn the users of such cards?
Ben Skeggs
2011-Jun-16 03:43 UTC
[Nouveau] [PATCH] drm/nouveau/pm: Prevent overflow in nouveau_perf_init()
On Sat, 2011-06-11 at 13:30 +0100, Emil Velikov wrote:> While parsing the perf table, there is no check if > the num of entries read from the vbios is less than > the currently allocated number. > > In case of a buggy vbios this will cause overwriting > of kernel memory, causing aditional problems. > > Add a simple check in order to prevent the caseI've pushed this. I'm not entirely certain we shouldn't just bail out completely if this is the case, I suspect that if there's this many, the VBIOS image is probably very screwed. This'll do for now :) Ben.> > Signed-off-by: Emil Velikov <emil.l.velikov at gmail.com> > --- > drivers/gpu/drm/nouveau/nouveau_perf.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_perf.c b/drivers/gpu/drm/nouveau/nouveau_perf.c > index f2d98c9..b0e995f 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_perf.c > +++ b/drivers/gpu/drm/nouveau/nouveau_perf.c > @@ -225,6 +225,11 @@ nouveau_perf_init(struct drm_device *dev) > entries = perf[2]; > } > > + if (entries > NOUVEAU_PM_MAX_LEVEL) { > + NV_DEBUG(dev, "perf table has too many entries - buggy vbios?\n"); > + entries = NOUVEAU_PM_MAX_LEVEL; > + } > + > entry = perf + headerlen; > for (i = 0; i < entries; i++) { > struct nouveau_pm_level *perflvl = &pm->perflvl[pm->nr_perflvl];