drm/i915: Fix command parser to validate multiple register access with the same command.
authorFrancisco Jerez <currojerez@riseup.net>
Fri, 29 May 2015 13:44:13 +0000 (16:44 +0300)
committerJani Nikula <jani.nikula@intel.com>
Mon, 15 Jun 2015 13:00:28 +0000 (16:00 +0300)
commit8a389cac1fd7dd6411c7e586ab098938a75870e0
tree0524c83d5536c6d89fe0b099dc907b314546fca1
parent11ee9615f9bbc9c0c2dbd9f5eb275459b76f032a
drm/i915: Fix command parser to validate multiple register access with the same command.

Until now the software command checker assumed that commands could
read or write at most a single register per packet.  This is not
necessarily the case, MI_LOAD_REGISTER_IMM expects a variable-length
list of offset/value pairs and writes them in sequence.  The previous
code would only check whether the first entry was valid, effectively
allowing userspace to write unrestricted registers of the MMIO space
by sending a multi-register write with a legal first register, with
potential security implications on Gen6 and 7 hardware.

Fix it by extending the drm_i915_cmd_descriptor table to represent
multi-register access and making validate_cmd() iterate for all
register offsets present in the command packet.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Reviewed-by: Zhigang Gong <zhigang.gong@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
drivers/gpu/drm/i915/i915_cmd_parser.c
drivers/gpu/drm/i915/i915_drv.h