• Luca Barbieri's avatar
    drm/nouveau: check pushbuffer bounds in ioctl · 12f735b7
    Luca Barbieri authored
    Currently there is no check that the pushbuffer request bounds are inside
    the TTM BO.
    
    This allows to instruct the kernel to do relocations on user-selected
    addresses, since the relocation bounds checking relies on the request
    bounds.
    
    This can oops the kernel accidentally and is easily exploitable.
    
    This patch adds bound checking and alignment checking for ->offset and
    ->nr_dwords.
    
    It also makes some variables unsigned, which should have no effect,
    but prevents possible bounds checking problems.
    Signed-off-by: default avatarLuca Barbieri <luca@luca-barbieri.com>
    Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
    12f735b7
nouveau_gem.c 24.4 KB