drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "block" variable can be set by the user through debugfs, so it can
be quite large which leads to shift wrapping here. This means we report
a "block" as supported when it's not, and that leads to array overflows
later on.

This bug is not really a security issue in real life, because debugfs is
generally root only.

Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Dan Carpenter and committed by

Alex Deucher 6 years ago 99f304be 517b91f4

1 changed file

expand all

drivers

gpu

drm

amd

amdgpu

amdgpu_ras.h

drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h

··· 172 172 { 173 173 struct amdgpu_ras *ras = amdgpu_ras_get_context(adev); 174 174 175 + if (block >= AMDGPU_RAS_BLOCK_COUNT) 176 + return 0; 175 177 return ras && (ras->supported & (1 << block)); 176 178 } 177 179