Re: [Nouveau] [PATCH] drm/nouveau: fix ramht wraparound
On Fri, Dec 21, 2012 at 10:15:48AM +1000, Ben Skeggs wrote: On Thu, Dec 20, 2012 at 11:37:12PM +0100, Marcin Slusarz wrote: When hash collision occurs and it's near ramht object boundary, we could read and possibly overwrite some memory after ramht object. Signed-off-by: Marcin Slusarz marcin.slus...@gmail.com Cc: sta...@vger.kernel.org --- drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c b/drivers/gpu/drm/nouveau/core/core/ramht.c index 86a6404..6da314c 100644 --- a/drivers/gpu/drm/nouveau/core/core/ramht.c +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid, } co += 8; - if (co = nv_gpuobj(ramht)-size) + if (co + 8 nv_gpuobj(ramht)-size) I might just be really tired, but, how exactly is the original wrong? The original could even just be (co == size) and still work correctly as far as I can tell. Ah, crap, I didn't see that both hash value and ramht-size are divisible by 8. So original code is correct (although it relies on the above) and my version does not really fix anything. Marcin ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau
[Nouveau] [PATCH] drm/nouveau: fix ramht wraparound
When hash collision occurs and it's near ramht object boundary, we could read and possibly overwrite some memory after ramht object. Signed-off-by: Marcin Slusarz marcin.slus...@gmail.com Cc: sta...@vger.kernel.org --- drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c b/drivers/gpu/drm/nouveau/core/core/ramht.c index 86a6404..6da314c 100644 --- a/drivers/gpu/drm/nouveau/core/core/ramht.c +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid, } co += 8; - if (co = nv_gpuobj(ramht)-size) + if (co + 8 nv_gpuobj(ramht)-size) co = 0; } while (co != ho); -- 1.8.0.2 ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau
Re: [Nouveau] [PATCH] drm/nouveau: fix ramht wraparound
On Thu, Dec 20, 2012 at 11:37:12PM +0100, Marcin Slusarz wrote: When hash collision occurs and it's near ramht object boundary, we could read and possibly overwrite some memory after ramht object. Signed-off-by: Marcin Slusarz marcin.slus...@gmail.com Cc: sta...@vger.kernel.org --- drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c b/drivers/gpu/drm/nouveau/core/core/ramht.c index 86a6404..6da314c 100644 --- a/drivers/gpu/drm/nouveau/core/core/ramht.c +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid, } co += 8; - if (co = nv_gpuobj(ramht)-size) + if (co + 8 nv_gpuobj(ramht)-size) I might just be really tired, but, how exactly is the original wrong? The original could even just be (co == size) and still work correctly as far as I can tell. Ben. co = 0; } while (co != ho); -- 1.8.0.2 ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau