38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From: Jon Bloomfield <jon.bloomfield@intel.com>
|
|
Date: Thu, 20 Sep 2018 09:45:10 -0700
|
|
Subject: drm/i915/cmdparser: Ignore Length operands during command matching
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155
|
|
|
|
commit 926abff21a8f29ef159a3ac893b05c6e50e043c3 upstream.
|
|
|
|
Some of the gen instruction macros (e.g. MI_DISPLAY_FLIP) have the
|
|
length directly encoded in them. Since these are used directly in
|
|
the tables, the Length becomes part of the comparison used for
|
|
matching during parsing. Thus, if the cmd being parsed has a
|
|
different length to that in the table, it is not matched and the
|
|
cmd is accepted via the default variable length path.
|
|
|
|
Fix by masking out everything except the Opcode in the cmd tables
|
|
|
|
Cc: Tony Luck <tony.luck@intel.com>
|
|
Cc: Dave Airlie <airlied@redhat.com>
|
|
Cc: Takashi Iwai <tiwai@suse.de>
|
|
Cc: Tyler Hicks <tyhicks@canonical.com>
|
|
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
|
|
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
|
|
---
|
|
drivers/gpu/drm/i915/i915_cmd_parser.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
|
|
+++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
|
|
@@ -187,7 +187,7 @@ struct drm_i915_cmd_table {
|
|
#define CMD(op, opm, f, lm, fl, ...) \
|
|
{ \
|
|
.flags = (fl) | ((f) ? CMD_DESC_FIXED : 0), \
|
|
- .cmd = { (op), ~0u << (opm) }, \
|
|
+ .cmd = { (op & ~0u << (opm)), ~0u << (opm) }, \
|
|
.length = { (lm) }, \
|
|
__VA_ARGS__ \
|
|
}
|