summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNongji Chen <nongji.chen@arm.com>2022-09-08 12:26:15 +0100
committerGuus Sliepen <gsliepen@google.com>2022-12-06 21:43:55 +0000
commite56b280be10c9072370b9c469b40dbac8082f330 (patch)
tree5cdd25d56e1a4a039ba3e741d12c4f1301529c29
parentf19a3fd973d58e808a72bae9d678e7ac55b134e4 (diff)
downloadgpu-e56b280be10c9072370b9c469b40dbac8082f330.tar.gz
GPUCORE-35499: Fix GROUP_SUSPEND kcpu suspend handling to prevent UAFandroid-13.0.0_r0.60android-gs-pantah-5.10-android13-qpr1
This commit fixes a buffer vulnerability that is provided for internal test/dump use in kcpu queue to get a CSG's suspend buffer content. The change ensures that the user supplied GPU VA mapped dump receiving buffer must meet some additional expected attributes so as to avoid the risk the dump buffer is abused from the user side, yielding potential vulnerability of use after free in kbase GPU mapped buffers from the said kcpu dump arrangement for CSG suspend buffer content. TI2: 906872 (PLAN-39472r8 R38P1 DDK Precommit) TI2: 906873 (PLAN-39568r4 R38 GPU Core CS CSF, targeted R38 test, red an unrelated issue, intermittent) TI2: 907201 (PLAN-39568r4 R38 GPU Core CS CSF, rerun the targeted red) TI2: 906018 (PLAN-2596r269 GPU Core CS CSF, 1 unrelated red) TI2: 906307 (PLAN-2596r269 GPU Core CS CSF, rerun the red) TI2: 906019 (PLAN-28130r51 GPUCORE CS Android-12-CSF-Minimal, the red is a trunk issue, multiple nightly reds in history) (cherry picked from commit 3646ab9f80d1e57b6cdff4e0651f3f07f7065954) Bug: 254445909 Provenance: https://code.ipdelivery.arm.com/c/GPU/mali-ddk/+/4746 Change-Id: I25275830b56941f597e6ebb7e38bf8764a5a2555
Diffstat
-rw-r--r--mali_kbase/csf/mali_kbase_csf_kcpu.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/mali_kbase/csf/mali_kbase_csf_kcpu.c b/mali_kbase/csf/mali_kbase_csf_kcpu.c
index 2991060..38e8520 100644
--- a/mali_kbase/csf/mali_kbase_csf_kcpu.c
+++ b/mali_kbase/csf/mali_kbase_csf_kcpu.c
@@ -649,9 +649,12 @@ static int kbase_csf_queue_group_suspend_prepare(
u64 start, end, i;
if (((reg->flags & KBASE_REG_ZONE_MASK) != KBASE_REG_ZONE_SAME_VA) ||
- reg->nr_pages < nr_pages ||
- kbase_reg_current_backed_size(reg) !=
- reg->nr_pages) {
+ (kbase_reg_current_backed_size(reg) < nr_pages) ||
+ !(reg->flags & KBASE_REG_CPU_WR) ||
+ (reg->gpu_alloc->type != KBASE_MEM_TYPE_NATIVE) ||
+ (reg->flags & KBASE_REG_DONT_NEED) ||
+ (reg->flags & KBASE_REG_ACTIVE_JIT_ALLOC) ||
+ (reg->flags & KBASE_REG_NO_USER_FREE)) {
ret = -EINVAL;
goto out_clean_pages;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 18:51:29 +0000