Bug#685604: linux-image-3.2.23-3-custom02-amd64: Radeon may try to read past end of video bios (memory allocation in acpi driver)

Wed, 22 Aug 2012 05:21:20 -0700 

Package: linux-image-3.2.23-3-custom02-amd64
Version: 3.2.0
Severity: important
Tags: patch

Dear Maintainer,

I build a custom debian kernel using config with debug options turned
on. That caught in boot a memory read past end of memory allocation. The
issue happens in video bios reading code that calls to ACPI to fetch
video bios. Memory allocation for returned video bios happens in ACPI
driver but radeon failed to check the amount of data returned by ACPI.

There is upstream fix for the issue. But it is split to 3 separate
commits to fix the relevant code path. I'm currently running the
backported patch with 3.2.0-3

commit de47a9cd62771e3e78954d855d2304fbad4c5a44
Author: Dave Airlie <[email protected]>
Date:   Thu Feb 2 15:25:16 2012 +0000

    drm/radeon: fix use after free in ATRM bios reading code.
    
    Fixes:
    https://bugs.freedesktop.org/show_bug.cgi?id=45503
    
    Reported-and-Debugged-by: [email protected]
    Signed-off-by: Dave Airlie <[email protected]>

commit 211fa4fc4e13492151e698d92b0dff56b29928ec
Author: Igor Murzov <[email protected]>
Date:   Sun Jan 22 18:47:28 2012 +0400

    drm/radeon: finish getting bios earlier
    
    Return a number of bytes read in radeon_atrm_get_bios_chunk() and
    properly check this value in radeon_atrm_get_bios().
    If radeon_atrm_get_bios_chunk() read less bytes then were requested,
    it means that it finished reading bios data.
    
    Prior to this patch, condition in radeon_atrm_get_bios() was always
    equivalent to "if (ATRM_BIOS_PAGE <= 0)", so it was always false,
    thus radeon_atrm_get_bios() was trying to read past the bios data
    wasting boot time.
    
    On my lenovo ideapad u455 laptop this patch drops bios reading time
    from ~5.5s to ~1.5s.
    
    Signed-off-by: Igor Murzov <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Dave Airlie <[email protected]>

commit a3f83ab1a717c0e6c2f59a4cfdaa10707cc35c55
Author: Igor Murzov <[email protected]>
Date:   Sun Jan 22 18:43:25 2012 +0400

    drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
    
    At a boot time I observed following bug:
    
     BUG: unable to handle kernel paging request at ffff8800a4244000
     IP: [<ffffffff81275b5b>] memcpy+0xb/0x120
     PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 80000000a4244160
     Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
     CPU 0
     Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 
radeon(+)
      mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart 
mmc_core
      sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys 
snd_hda_codec_hdmi
      joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel 
snd_hda_codec
      snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse 
hwmon
      i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw 
snd_page_alloc
      loop btrfs
    
     Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046           
                /AMD CRB
     RIP: 0010:[<ffffffff81275b5b>]  [<ffffffff81275b5b>] memcpy+0xb/0x120
     RSP: 0018:ffff8800aa72db00  EFLAGS: 00010246
     RAX: ffff8800a4150000 RBX: 0000000000001000 RCX: 0000000000000087
     RDX: 0000000000000000 RSI: ffff8800a4244000 RDI: ffff8800a4150bc8
     RBP: ffff8800aa72db78 R08: 0000000000000010 R09: ffffffff8174bbec
     R10: ffffffff812ee010 R11: 0000000000000001 R12: 0000000000001000
     R13: 0000000000010000 R14: ffff8800a4140000 R15: ffff8800aaba1800
     FS:  00007ff9a3bd4720(0000) GS:ffff8800afa00000(0000) 
knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
     CR2: ffff8800a4244000 CR3: 00000000a9c18000 CR4: 00000000000006f0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
     Process modprobe (pid: 1008, threadinfo ffff8800aa72c000, task 
ffff8800aa0e4000)
     Stack:
      ffffffffa04e7c7b 0000000000000001 0000000000010000 ffff8800aa72db28
      ffffffff00000001 0000000000001000 ffffffff8113cbef 0000000000000020
      ffff8800a4243420 ffff880000000002 ffff8800aa72db08 ffff8800a9d42000
     Call Trace:
      [<ffffffffa04e7c7b>] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon]
      [<ffffffff8113cbef>] ? kmalloc_order_trace+0x3f/0xb0
      [<ffffffffa04a9298>] radeon_get_bios+0x68/0x2f0 [radeon]
      [<ffffffffa04c7a30>] rv770_init+0x40/0x280 [radeon]
      [<ffffffffa047d740>] radeon_device_init+0x560/0x600 [radeon]
      [<ffffffffa047ef4f>] radeon_driver_load_kms+0xaf/0x170 [radeon]
      [<ffffffffa043cdde>] drm_get_pci_dev+0x18e/0x2c0 [drm]
      [<ffffffffa04e7e95>] radeon_pci_probe+0xad/0xb5 [radeon]
      [<ffffffff81296c5f>] local_pci_probe+0x5f/0xd0
      [<ffffffff81297418>] pci_device_probe+0x88/0xb0
      [<ffffffff813417aa>] ? driver_sysfs_add+0x7a/0xb0
      [<ffffffff813418d8>] really_probe+0x68/0x180
      [<ffffffff81341be5>] driver_probe_device+0x45/0x70
      [<ffffffff81341cb3>] __driver_attach+0xa3/0xb0
      [<ffffffff81341c10>] ? driver_probe_device+0x70/0x70
      [<ffffffff813400ce>] bus_for_each_dev+0x5e/0x90
      [<ffffffff8134172e>] driver_attach+0x1e/0x20
      [<ffffffff81341298>] bus_add_driver+0xc8/0x280
      [<ffffffff813422c6>] driver_register+0x76/0x140
      [<ffffffff812976d6>] __pci_register_driver+0x66/0xe0
      [<ffffffffa043d021>] drm_pci_init+0x111/0x120 [drm]
      [<ffffffff8133c67a>] ? vga_switcheroo_register_handler+0x3a/0x60
      [<ffffffffa0229000>] ? 0xffffffffa0228fff
      [<ffffffffa02290ec>] radeon_init+0xec/0xee [radeon]
      [<ffffffff810002f2>] do_one_initcall+0x42/0x180
      [<ffffffff8109d8d2>] sys_init_module+0x92/0x1e0
      [<ffffffff815407a9>] system_call_fastpath+0x16/0x1b
     Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb
      e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 <f3> 48
      a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c
     RIP  [<ffffffff81275b5b>] memcpy+0xb/0x120
      RSP <ffff8800aa72db00>
     CR2: ffff8800a4244000
     ---[ end trace fcffa1599cf56382 ]---
    
    Call to acpi_evaluate_object() not always returns 4096 bytes chunks,
    on my system it can return 2048 bytes chunk, so pass the length of
    retrieved chunk to memcpy(), not the length of the recieving buffer.
    
    Signed-off-by: Igor Murzov <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Dave Airlie <[email protected]>

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.23-3-custom02-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages linux-image-3.2.23-3-custom02-amd64 depends on:
ii  coreutils              8.13-3.2
ii  debconf [debconf-2.0]  1.5.46

linux-image-3.2.23-3-custom02-amd64 recommends no packages.

Versions of packages linux-image-3.2.23-3-custom02-amd64 suggests:
pn  fdutils                                                              <none>
pn  ksymoops                                                             <none>
pn  linux-doc-3.2.23-3-custom02-amd64 | linux-source-3.2.23-3-custom02-  <none>
pn  linux-image-3.2.23-3-custom02-amd64-dbg                              <none>

-- debconf information:
  
linux-image-3.2.23-3-custom02-amd64/postinst/depmod-error-3.2.23-3-custom02-amd64:
 false
  
linux-image-3.2.23-3-custom02-amd64/preinst/already-running-this-3.2.23-3-custom02-amd64:
  
linux-image-3.2.23-3-custom02-amd64/postinst/old-dir-initrd-link-3.2.23-3-custom02-amd64:
 true
  
linux-image-3.2.23-3-custom02-amd64/preinst/failed-to-move-modules-3.2.23-3-custom02-amd64:
  
linux-image-3.2.23-3-custom02-amd64/postinst/old-system-map-link-3.2.23-3-custom02-amd64:
 true
  linux-image-3.2.23-3-custom02-amd64/postinst/kimage-is-a-directory:
  
linux-image-3.2.23-3-custom02-amd64/prerm/removing-running-kernel-3.2.23-3-custom02-amd64:
 true
  
linux-image-3.2.23-3-custom02-amd64/preinst/abort-overwrite-3.2.23-3-custom02-amd64:
  
linux-image-3.2.23-3-custom02-amd64/postinst/depmod-error-initrd-3.2.23-3-custom02-amd64:
 false
  
linux-image-3.2.23-3-custom02-amd64/preinst/overwriting-modules-3.2.23-3-custom02-amd64:
 true

diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
index 9d95792..98724fc 100644
--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
@@ -58,7 +58,8 @@ static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios,
 	}
 
 	obj = (union acpi_object *)buffer.pointer;
-	memcpy(bios+offset, obj->buffer.pointer, len);
+	memcpy(bios+offset, obj->buffer.pointer, obj->buffer.length);
+	len = obj->buffer.length;
 	kfree(buffer.pointer);
 	return len;
 }
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
index 229a20f..501f488 100644
--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -120,7 +120,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev)
 		ret = radeon_atrm_get_bios_chunk(rdev->bios,
 						 (i * ATRM_BIOS_PAGE),
 						 ATRM_BIOS_PAGE);
-		if (ret <= 0)
+		if (ret < ATRM_BIOS_PAGE)
 			break;
 	}

Reply via email to