Commit e4fda9f2 authored by Chris Wilson's avatar Chris Wilson Committed by Dave Airlie

drm: Perform ioctl command validation on the stored kernel values

Userspace is free to pass in any command bits it feels like through the
ioctl cmd, and for example trinity likes to fuzz those bits to create
conflicting commands. So instead of relying upon userspace to pass along
the correct IN/OUT flags for the ioctl, use the flags as expected by the
kernel.

This does have a side-effect that NULL pointers can not be substituted
by userspace in place of a struct. This feature was not being used by
any driver, but instead exposed all of the command handlers to a user
triggerable OOPS.
Reported-by: default avatarTommi Rantala <tt.rantala@gmail.com>
Link: http://lkml.kernel.org/r/CA+ydwtpuBvbwxbt-tdgPUvj1EU7itmCHo_2B3w13HkD5+jWKow@mail.gmail.comSigned-off-by: default avatarTommi Rantala <tt.rantala@gmail.com>
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent b6330548
...@@ -408,6 +408,7 @@ long drm_ioctl(struct file *filp, ...@@ -408,6 +408,7 @@ long drm_ioctl(struct file *filp,
usize = asize = _IOC_SIZE(cmd); usize = asize = _IOC_SIZE(cmd);
if (drv_size > asize) if (drv_size > asize)
asize = drv_size; asize = drv_size;
cmd = ioctl->cmd_drv;
} }
else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
ioctl = &drm_ioctls[nr]; ioctl = &drm_ioctls[nr];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment