[stable] Patch "drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and" has been added to the 2.6.39-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and

to the 2.6.39-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-radeon-kms-do-bounds-checking-for-3d_load_vbpntr-and.patch
and it can be found in the queue-2.6.39 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@kernel.org> know about it.


From a27bb4b209dd6c327fa4e7185f2487f9508a58db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <mar...@gmail.com>
Date: Fri, 10 Jun 2011 14:41:26 +0000
Subject: drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and
 bump array limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <mar...@gmail.com>

commit a27bb4b209dd6c327fa4e7185f2487f9508a58db upstream.

To my knowledge, the limit is 16 on r300.
(the docs don't say what the limit is)

The lack of bounds checking can be abused to do all sorts of things
(from bypassing parts of the CS checker to crashing the kernel).

Bugzilla:
https://bugs.freedesktop.org/show_bug.cgi?id=36745

Signed-off-by: Marek Olšák <mar...@gmail.com>
Signed-off-by: Dave Airlie <airl...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 drivers/gpu/drm/radeon/r100_track.h |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/r100_track.h
+++ b/drivers/gpu/drm/radeon/r100_track.h
@@ -63,7 +63,7 @@ struct r100_cs_track {
        unsigned                        num_arrays;
        unsigned                        max_indx;
        unsigned                        color_channel_mask;
-       struct r100_cs_track_array      arrays[11];
+       struct r100_cs_track_array      arrays[16];
        struct r100_cs_track_cb         cb[R300_MAX_CB];
        struct r100_cs_track_cb         zb;
        struct r100_cs_track_cb         aa;
@@ -146,6 +146,12 @@ static inline int r100_packet3_load_vbpn
        ib = p->ib->ptr;
        track = (struct r100_cs_track *)p->track;
        c = radeon_get_ib_value(p, idx++) & 0x1F;
+       if (c > 16) {
+           DRM_ERROR("Only 16 vertex buffers are allowed %d\n",
+                     pkt->opcode);
+           r100_cs_dump_packet(p, pkt);
+           return -EINVAL;
+       }
        track->num_arrays = c;
        for (i = 0; i < (c - 1); i+=2, idx+=3) {
                r = r100_cs_packet_next_reloc(p, &reloc);


Patches currently in stable-queue which might be from mar...@gmail.com are

queue-2.6.39/drm-radeon-kms-do-bounds-checking-for-3d_load_vbpntr-and.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable