drm/amdgpu/vcn4: Prevent OOB reads when parsing IB

commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream.

Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
bounds checks.

Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index d17219be50f3932c47d094300e6ee807426adf05..311b2479508abdafdc53cb880b2cfe9b53bf281e 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1913,9 +1913,10 @@ out:
 static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start)
 {
        int i;
+       uint32_t len;
 
-       for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) {
-               if (ib->ptr[i + 1] == id)
+       for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
+               if (amdgpu_ib_get_value(ib, i + 1) == id)
                        return i;
        }
        return -1;
@@ -1926,8 +1927,6 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
                                           struct amdgpu_ib *ib)
 {
        struct amdgpu_ring *ring = amdgpu_job_ring(job);
-       struct amdgpu_vcn_decode_buffer *decode_buffer;
-       uint64_t addr;
        uint32_t val;
        int idx = 0, sidx;
 
@@ -1938,20 +1937,22 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
        while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) {
                val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */
                if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
-                       decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6];
+                       uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6);
+                       uint64_t msg_buffer_addr;
 
-                       if (!(decode_buffer->valid_buf_flag & 0x1))
+                       if (!(valid_buf_flag & 0x1))
                                return 0;
 
-                       addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 |
-                               decode_buffer->msg_buffer_address_lo;
-                       return vcn_v4_0_dec_msg(p, job, addr);
+                       msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 |
+                               amdgpu_ib_get_value(ib, idx + 8);
+                       return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
                } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
                        sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx);
-                       if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1)
+                       if (sidx >= 0 &&
+                           amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1)
                                return vcn_v4_0_limit_sched(p, job);
                }
-               idx += ib->ptr[idx] / 4;
+               idx += amdgpu_ib_get_value(ib, idx) / 4;
        }
        return 0;
 }