On Mon, Nov 03, 2014 at 10:51:42AM +0100, Daniel Vetter wrote:
> On Mon, Nov 03, 2014 at 10:27:47AM +0100, Thierry Reding wrote:
> > From: Thierry Reding <treding at nvidia.com>
> >
> > When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
> > IOCTL, only the width, height, bpp and flags parameters are inputs. The
> > caller is not guaranteed to zero out or set handle, pitch and size, so
> > the driver must not treat these values as possible inputs.
> >
> > Fixes a bug where running the Weston compositor on Tegra DRM would cause
> > an attempt to allocate a 3 GiB framebuffer to be allocated.
> >
> > Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb")
> > Cc: stable at vger.kernel.org
> > Signed-off-by: Thierry Reding <treding at nvidia.com>
>
> Shouldn't we also clear these fields in the drm core ioctl code? This
> is indeed surprising (yay for lacking input validation!), doing this
> mistake in each driver won't scale ...
They are clearly documented as being outputs in the drm_mode_create_dumb
struct (include/uapi/drm/drm_mode.h), so this was really just me being
stupid a couple of year ago.
But yes, validating the input in the core sounds like a good idea to
avoid this in other drivers in the future.
Thierry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.freedesktop.org/archives/dri-devel/attachments/20141103/2bfab4a1/attachment.sig>
