From: Felix Kuehling <felix.kuehling@amd.com>
To: "Jeremy Cline" <jcline@redhat.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
amd-gfx@lists.freedesktop.org, Daniel Vetter <daniel@ffwll.ch>,
Kent Russell <kent.russell@amd.com>
Subject: Re: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu()
Date: Mon, 11 Jan 2021 16:46:13 -0500 [thread overview]
Message-ID: <48b5c6b7-3c48-2fb0-dfde-3aabd3c1ad0d@amd.com> (raw)
In-Reply-To: <20210111210528.734483-1-jcline@redhat.com>
Am 2021-01-11 um 4:05 p.m. schrieb Jeremy Cline:
> KASAN reported a slab-out-of-bounds read of size 1 in
> kdf_create_vcrat_image_cpu().
>
> This occurs when, for example, when on an x86_64 with a single NUMA node
> because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the
> sub_type_hdr->length, which is out-of-bounds, is read and multiplied by
> entries. Fortunately, entries is 0 in this case so the overall
> crat_table->length is still correct.
>
> Check if there were any entries before de-referencing sub_type_hdr which
> may be pointing to out-of-bounds memory.
>
> Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)")
> Suggested-by: Felix Kuehling <Felix.Kuehling@amd.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
Thanks. I'll apply this patch.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> index 8cac497c2c45..a5640a6138cf 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size)
> (struct crat_subtype_iolink *)sub_type_hdr);
> if (ret < 0)
> return ret;
> - crat_table->length += (sub_type_hdr->length * entries);
> - crat_table->total_entries += entries;
>
> - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> - sub_type_hdr->length * entries);
> + if (entries) {
> + crat_table->length += (sub_type_hdr->length * entries);
> + crat_table->total_entries += entries;
> +
> + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> + sub_type_hdr->length * entries);
> + }
> #else
> pr_info("IO link not available for non x86 platforms\n");
> #endif
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Felix Kuehling <felix.kuehling@amd.com>
To: "Jeremy Cline" <jcline@redhat.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
amd-gfx@lists.freedesktop.org,
Kent Russell <kent.russell@amd.com>
Subject: Re: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu()
Date: Mon, 11 Jan 2021 16:46:13 -0500 [thread overview]
Message-ID: <48b5c6b7-3c48-2fb0-dfde-3aabd3c1ad0d@amd.com> (raw)
In-Reply-To: <20210111210528.734483-1-jcline@redhat.com>
Am 2021-01-11 um 4:05 p.m. schrieb Jeremy Cline:
> KASAN reported a slab-out-of-bounds read of size 1 in
> kdf_create_vcrat_image_cpu().
>
> This occurs when, for example, when on an x86_64 with a single NUMA node
> because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the
> sub_type_hdr->length, which is out-of-bounds, is read and multiplied by
> entries. Fortunately, entries is 0 in this case so the overall
> crat_table->length is still correct.
>
> Check if there were any entries before de-referencing sub_type_hdr which
> may be pointing to out-of-bounds memory.
>
> Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)")
> Suggested-by: Felix Kuehling <Felix.Kuehling@amd.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
Thanks. I'll apply this patch.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> index 8cac497c2c45..a5640a6138cf 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size)
> (struct crat_subtype_iolink *)sub_type_hdr);
> if (ret < 0)
> return ret;
> - crat_table->length += (sub_type_hdr->length * entries);
> - crat_table->total_entries += entries;
>
> - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> - sub_type_hdr->length * entries);
> + if (entries) {
> + crat_table->length += (sub_type_hdr->length * entries);
> + crat_table->total_entries += entries;
> +
> + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> + sub_type_hdr->length * entries);
> + }
> #else
> pr_info("IO link not available for non x86 platforms\n");
> #endif
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Felix Kuehling <felix.kuehling@amd.com>
To: "Jeremy Cline" <jcline@redhat.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Kent Russell <kent.russell@amd.com>,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu()
Date: Mon, 11 Jan 2021 16:46:13 -0500 [thread overview]
Message-ID: <48b5c6b7-3c48-2fb0-dfde-3aabd3c1ad0d@amd.com> (raw)
In-Reply-To: <20210111210528.734483-1-jcline@redhat.com>
Am 2021-01-11 um 4:05 p.m. schrieb Jeremy Cline:
> KASAN reported a slab-out-of-bounds read of size 1 in
> kdf_create_vcrat_image_cpu().
>
> This occurs when, for example, when on an x86_64 with a single NUMA node
> because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the
> sub_type_hdr->length, which is out-of-bounds, is read and multiplied by
> entries. Fortunately, entries is 0 in this case so the overall
> crat_table->length is still correct.
>
> Check if there were any entries before de-referencing sub_type_hdr which
> may be pointing to out-of-bounds memory.
>
> Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)")
> Suggested-by: Felix Kuehling <Felix.Kuehling@amd.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
Thanks. I'll apply this patch.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> index 8cac497c2c45..a5640a6138cf 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
> @@ -1040,11 +1040,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size)
> (struct crat_subtype_iolink *)sub_type_hdr);
> if (ret < 0)
> return ret;
> - crat_table->length += (sub_type_hdr->length * entries);
> - crat_table->total_entries += entries;
>
> - sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> - sub_type_hdr->length * entries);
> + if (entries) {
> + crat_table->length += (sub_type_hdr->length * entries);
> + crat_table->total_entries += entries;
> +
> + sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
> + sub_type_hdr->length * entries);
> + }
> #else
> pr_info("IO link not available for non x86 platforms\n");
> #endif
next prev parent reply other threads:[~2021-01-11 21:46 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-08 16:31 [PATCH] drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu() Jeremy Cline
2021-01-08 16:31 ` Jeremy Cline
2021-01-08 16:31 ` Jeremy Cline
2021-01-08 23:46 ` Felix Kuehling
2021-01-08 23:46 ` Felix Kuehling
2021-01-08 23:46 ` Felix Kuehling
2021-01-09 2:26 ` Jeremy Cline
2021-01-09 2:26 ` Jeremy Cline
2021-01-09 2:26 ` Jeremy Cline
2021-01-11 21:05 ` [PATCH v2] " Jeremy Cline
2021-01-11 21:05 ` Jeremy Cline
2021-01-11 21:05 ` Jeremy Cline
2021-01-11 21:46 ` Felix Kuehling [this message]
2021-01-11 21:46 ` Felix Kuehling
2021-01-11 21:46 ` Felix Kuehling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48b5c6b7-3c48-2fb0-dfde-3aabd3c1ad0d@amd.com \
--to=felix.kuehling@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=jcline@redhat.com \
--cc=kent.russell@amd.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.