[PATCH 1/4] habanalabs: verify user input in cs_ioctl_signal_wait

From: Oded Gabbay
Date: Sun Aug 09 2020 - 07:53:56 EST

Next message: Oded Gabbay: "[PATCH 3/4] habanalabs: proper handling of alloc size in coresight"
Previous message: Oded Gabbay: "[PATCH 2/4] habanalabs: set clock gating according to mask"
Next in thread: Oded Gabbay: "[PATCH 2/4] habanalabs: set clock gating according to mask"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ofir Bitton <obitton@xxxxxxxxx>

User input must be validated before using it to
access internal structures.

Signed-off-by: Ofir Bitton <obitton@xxxxxxxxx>
Reviewed-by: Oded Gabbay <oded.gabbay@xxxxxxxxx>
Signed-off-by: Oded Gabbay <oded.gabbay@xxxxxxxxx>
---
drivers/misc/habanalabs/common/command_submission.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c
index b9840e368eb5..2e3fcbc794db 100644
--- a/drivers/misc/habanalabs/common/command_submission.c
+++ b/drivers/misc/habanalabs/common/command_submission.c
@@ -808,6 +808,14 @@ static int cs_ioctl_signal_wait(struct hl_fpriv *hpriv, enum hl_cs_type cs_type,

/* currently it is guaranteed to have only one chunk */
chunk = &cs_chunk_array[0];
+
+ if (chunk->queue_index >= hdev->asic_prop.max_queues) {
+ dev_err(hdev->dev, "Queue index %d is invalid\n",
+ chunk->queue_index);
+ rc = -EINVAL;
+ goto free_cs_chunk_array;
+ }
+
q_idx = chunk->queue_index;
hw_queue_prop = &hdev->asic_prop.hw_queues_props[q_idx];
q_type = hw_queue_prop->type;
--
2.17.1

Next message: Oded Gabbay: "[PATCH 3/4] habanalabs: proper handling of alloc size in coresight"
Previous message: Oded Gabbay: "[PATCH 2/4] habanalabs: set clock gating according to mask"
Next in thread: Oded Gabbay: "[PATCH 2/4] habanalabs: set clock gating according to mask"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]