From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED3B2C433E0 for ; Mon, 11 Jan 2021 21:06:00 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 97E0422D01 for ; Mon, 11 Jan 2021 21:06:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 97E0422D01 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=amd-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id BE4BD89DCF; Mon, 11 Jan 2021 21:05:59 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by gabe.freedesktop.org (Postfix) with ESMTPS id 28D7589DA3 for ; Mon, 11 Jan 2021 21:05:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610399157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=LxXqF8UrqTs1x67LaCbg38QZOcSLHLxtPgNqHPioWQV8aIKKRGTsR6xfnK9Elv9aWCmRQ7 VhRlBNBqEi3CWVLG5K3tAvhChZfWJ1HqoAQDilUPAKa3wxXYpHaBi5NAJV7CU/Kt3EG6bV JSny/Laq0Q9mrDZVYAVO9OSWkL5e9G0= Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-462-qtQ1R_Q4Mway5U8JrzMolg-1; Mon, 11 Jan 2021 16:05:55 -0500 X-MC-Unique: qtQ1R_Q4Mway5U8JrzMolg-1 Received: by mail-io1-f71.google.com with SMTP id h206so92285iof.18 for ; Mon, 11 Jan 2021 13:05:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=gmqruwJwvJyRRMZzW16l4fKbTtlx4J7Xujf/sLWsJwnQ5H8cQlmoeJKrAjrsEYKxHm 0vASedLVHe0RyHKeDkH/eiC5ZUWp8VaWRxB5KqrW3hsD5BLnWjUb41QXIOen7UbHK/wX Itv6TeFQyJAIY82NYtOGmwqYKFRSQI61G+9m2il+hqatokDuOJcd6ElLcCLMmHZrsXpu Ks4zxwVVw350iWqv054SDasl8D8lTMdK+23MhOSTOINkXhav7/xez48TwM28zQxA4Jwl XSkJka0Dz6BXlV2laOcyuzrHmnpgGXz/iXwDihlQesagVTtBmyaUvrjrDNxPS+t5WSod Rsuw== X-Gm-Message-State: AOAM532chDN2usOdY+tC1Oc8yy2o8DfmUQvDaCEmlSHQ9RptvhOqy5tW nd1EoGdS8JBd5YTqfYKCvkX8VGvYXa9wCv3HTOPs/FLkBziDSvUrsUifOjgmonqpUc2HNODGB9L FIipZRpJdLUnZeb8DwbP1EB+HZA== X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973996ilj.269.1610399154546; Mon, 11 Jan 2021 13:05:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJw6Ev4z4M7iiQ4IWIhPmz+JCzu3mpjfTGAREfYqUmeQmNUT4RarijTDgpFFHOnVLiRQw5uChA== X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973984ilj.269.1610399154354; Mon, 11 Jan 2021 13:05:54 -0800 (PST) Received: from dev.jcline.org ([2605:a601:a63a:4d01:c440:5c61:43ba:350c]) by smtp.gmail.com with ESMTPSA id k15sm711468ilp.10.2021.01.11.13.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 13:05:53 -0800 (PST) From: Jeremy Cline To: Felix Kuehling , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= Subject: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu() Date: Mon, 11 Jan 2021 16:05:28 -0500 Message-Id: <20210111210528.734483-1-jcline@redhat.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210108163104.411442-1-jcline@redhat.com> References: <20210108163104.411442-1-jcline@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jcline@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-BeenThere: amd-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion list for AMD gfx List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Airlie , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Jeremy Cline , amd-gfx@lists.freedesktop.org, Daniel Vetter , Kent Russell Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: amd-gfx-bounces@lists.freedesktop.org Sender: "amd-gfx" KASAN reported a slab-out-of-bounds read of size 1 in kdf_create_vcrat_image_cpu(). This occurs when, for example, when on an x86_64 with a single NUMA node because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the sub_type_hdr->length, which is out-of-bounds, is read and multiplied by entries. Fortunately, entries is 0 in this case so the overall crat_table->length is still correct. Check if there were any entries before de-referencing sub_type_hdr which may be pointing to out-of-bounds memory. Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)") Suggested-by: Felix Kuehling Signed-off-by: Jeremy Cline --- drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c index 8cac497c2c45..a5640a6138cf 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size) (struct crat_subtype_iolink *)sub_type_hdr); if (ret < 0) return ret; - crat_table->length += (sub_type_hdr->length * entries); - crat_table->total_entries += entries; - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + - sub_type_hdr->length * entries); + if (entries) { + crat_table->length += (sub_type_hdr->length * entries); + crat_table->total_entries += entries; + + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + + sub_type_hdr->length * entries); + } #else pr_info("IO link not available for non x86 platforms\n"); #endif -- 2.29.2 _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 066EEC433DB for ; Mon, 11 Jan 2021 21:06:03 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8FF4822D01 for ; Mon, 11 Jan 2021 21:06:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8FF4822D01 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 014EF89DA3; Mon, 11 Jan 2021 21:06:02 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by gabe.freedesktop.org (Postfix) with ESMTPS id B656F89DA3 for ; Mon, 11 Jan 2021 21:05:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610399158; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=LAWWSbpwpvmTGVbQPp7Nz/pvfHfrHemoCacI9SsKONZulqxLMB73HzM71uydd8ZvwM/Ceo yfDM0LJIAXwVmgh7wDQ172Da8xL4GGjRTgMNY/pJg+L2VDmmr555MyaWGmp6ucvyl9+GXw CSD0v8ntd0bwaWFeeKOOMvy4VTB2xxg= Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-308-F0YG36qfPGqpa6pSwtHY6w-1; Mon, 11 Jan 2021 16:05:55 -0500 X-MC-Unique: F0YG36qfPGqpa6pSwtHY6w-1 Received: by mail-il1-f197.google.com with SMTP id z8so494267ilq.21 for ; Mon, 11 Jan 2021 13:05:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=NwFmW5j8wEoA57iLk/1uXJ/SVM4dlRmbj+eC0+Kwqz851+CoGnA9Z51BxEDSZu5+kS kytvL1np1ULTJbYD6ERU7qjjJdhQ9LSEPxTC/6Malm1KEOXJhwcF1yqCVB6N+7qpnjmD S55tnXw/wvAtZMttf6KRfRzfcF6mlwnYjwGkI2P5cUy6VJsPeKf/Kbp/oSxAo8ZqbWqJ oRXtnpAFNX6skDUBQBjoZHDHigRfGa5g8k5qycUI5y4wGiltpcAOkyl8dunZtbNe9qJa jMNjSTeZ8gp6MiBWuCpbFe0aqZRcs6EWkVbFhz+BMHMVi0pn/Ct9PEkglTq/3EFOUgGR LXow== X-Gm-Message-State: AOAM531kdO8mkzdBD+/yxaPUb6V11RDDIGr4qwmLDxFoHrpjI4iAp5tQ nTABHr/dWebbf2hXoUZV9d2TOOLjqVbemc96bCzheZeLa8ob17JrBAsDBDYCqmHYgA/O0h/EEZw mk0lJ5h3+U4L4VfZEk6QT7AljwgE6 X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973999ilj.269.1610399154546; Mon, 11 Jan 2021 13:05:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJw6Ev4z4M7iiQ4IWIhPmz+JCzu3mpjfTGAREfYqUmeQmNUT4RarijTDgpFFHOnVLiRQw5uChA== X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973984ilj.269.1610399154354; Mon, 11 Jan 2021 13:05:54 -0800 (PST) Received: from dev.jcline.org ([2605:a601:a63a:4d01:c440:5c61:43ba:350c]) by smtp.gmail.com with ESMTPSA id k15sm711468ilp.10.2021.01.11.13.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 13:05:53 -0800 (PST) From: Jeremy Cline To: Felix Kuehling , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= Subject: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu() Date: Mon, 11 Jan 2021 16:05:28 -0500 Message-Id: <20210111210528.734483-1-jcline@redhat.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210108163104.411442-1-jcline@redhat.com> References: <20210108163104.411442-1-jcline@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jcline@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Airlie , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Jeremy Cline , amd-gfx@lists.freedesktop.org, Kent Russell Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" KASAN reported a slab-out-of-bounds read of size 1 in kdf_create_vcrat_image_cpu(). This occurs when, for example, when on an x86_64 with a single NUMA node because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the sub_type_hdr->length, which is out-of-bounds, is read and multiplied by entries. Fortunately, entries is 0 in this case so the overall crat_table->length is still correct. Check if there were any entries before de-referencing sub_type_hdr which may be pointing to out-of-bounds memory. Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)") Suggested-by: Felix Kuehling Signed-off-by: Jeremy Cline --- drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c index 8cac497c2c45..a5640a6138cf 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size) (struct crat_subtype_iolink *)sub_type_hdr); if (ret < 0) return ret; - crat_table->length += (sub_type_hdr->length * entries); - crat_table->total_entries += entries; - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + - sub_type_hdr->length * entries); + if (entries) { + crat_table->length += (sub_type_hdr->length * entries); + crat_table->total_entries += entries; + + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + + sub_type_hdr->length * entries); + } #else pr_info("IO link not available for non x86 platforms\n"); #endif -- 2.29.2 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2BD0C433DB for ; Mon, 11 Jan 2021 21:07:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 78E9722D02 for ; Mon, 11 Jan 2021 21:07:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389930AbhAKVHY (ORCPT ); Mon, 11 Jan 2021 16:07:24 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:40854 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728539AbhAKVHY (ORCPT ); Mon, 11 Jan 2021 16:07:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610399157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=Bx2IEbvbG6YoRYx07gVLovRlUTW1KeVo+WC0lJQr0m2FJ5/LQJymQy9JyhmIQKA7djNieX 85jRjBKLhHFLPJ+D7h46TSE3eHYGUbC36ywqHnDokC9S4v5zs2MRy5afvN9sC9bpexsyvS lG6zoZOi5SU6thzwqIFU7wjyI1ClOYs= Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-207-WDNa0I3ePF6r5RXZO-95TQ-1; Mon, 11 Jan 2021 16:05:55 -0500 X-MC-Unique: WDNa0I3ePF6r5RXZO-95TQ-1 Received: by mail-io1-f69.google.com with SMTP id b136so93354iof.19 for ; Mon, 11 Jan 2021 13:05:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OkwN5vYCUrXN1gSw+5AUEXR+ndNOEnKeN2JIlRxKH3E=; b=bwLoZKpgkqYtf2WATEbL8pMxO5j3LUIG5kUeF3Z6YswWkw7tyrnF+Iwb/K8qR7ILEb sedmxbihOCiPhyp9DLiLd7lnEE7OyrTaNpZgD34pt30yZSjF21/f4iFgVE0A625Bv/fo fitYfmi7k9b8nspYmiS6B37q86q94XU/0xnRmaSM0/1kRvPDroeFwDzJ8K1Z5Mh5rUac dIR5N/mkpm7c53DC+fsQtrr5BXc0d/sfJ/GE/3lo/UJFJC5OydIyZTSX+w3m/iOsFCHV Z45kndBu3elZork0WZOgh3UFs8VFRDGz4HhpJyo3xi3IE4S9Od7yNOtYMSBCxdDVCDPU yiHw== X-Gm-Message-State: AOAM533oYDfmpFY8ayKM+2kDhPQaq+ZtoQdUHJLR5T39Vz5LtrpuKMKD mwExJs/PF0JIyC4+zWwglusALmjhoOrGDACXxtttL5oA9a2hlcA+XJ9BBICH1oBquCnaKJwKGmN oKqmD5jiIyvmZv5IC/6F+xj5v X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973993ilj.269.1610399154545; Mon, 11 Jan 2021 13:05:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJw6Ev4z4M7iiQ4IWIhPmz+JCzu3mpjfTGAREfYqUmeQmNUT4RarijTDgpFFHOnVLiRQw5uChA== X-Received: by 2002:a05:6e02:10c3:: with SMTP id s3mr973984ilj.269.1610399154354; Mon, 11 Jan 2021 13:05:54 -0800 (PST) Received: from dev.jcline.org ([2605:a601:a63a:4d01:c440:5c61:43ba:350c]) by smtp.gmail.com with ESMTPSA id k15sm711468ilp.10.2021.01.11.13.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 13:05:53 -0800 (PST) From: Jeremy Cline To: Felix Kuehling , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= Cc: David Airlie , Daniel Vetter , Kent Russell , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Jeremy Cline Subject: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu() Date: Mon, 11 Jan 2021 16:05:28 -0500 Message-Id: <20210111210528.734483-1-jcline@redhat.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210108163104.411442-1-jcline@redhat.com> References: <20210108163104.411442-1-jcline@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KASAN reported a slab-out-of-bounds read of size 1 in kdf_create_vcrat_image_cpu(). This occurs when, for example, when on an x86_64 with a single NUMA node because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the sub_type_hdr->length, which is out-of-bounds, is read and multiplied by entries. Fortunately, entries is 0 in this case so the overall crat_table->length is still correct. Check if there were any entries before de-referencing sub_type_hdr which may be pointing to out-of-bounds memory. Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)") Suggested-by: Felix Kuehling Signed-off-by: Jeremy Cline --- drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c index 8cac497c2c45..a5640a6138cf 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size) (struct crat_subtype_iolink *)sub_type_hdr); if (ret < 0) return ret; - crat_table->length += (sub_type_hdr->length * entries); - crat_table->total_entries += entries; - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + - sub_type_hdr->length * entries); + if (entries) { + crat_table->length += (sub_type_hdr->length * entries); + crat_table->total_entries += entries; + + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + + sub_type_hdr->length * entries); + } #else pr_info("IO link not available for non x86 platforms\n"); #endif -- 2.29.2