• Jon Bloomfield's avatar
    UBUNTU: SAUCE: i915_bpo: drm/i915/cmdparser: Add support for backward jumps · 9c352afb
    Jon Bloomfield authored
    To keep things manageable, the pre-gen9 cmdparser does not
    attempt to track any form of nested BB_START's. This did not
    prevent usermode from using nested starts, or even chained
    batches because the cmdparser is not strictly enforced pre gen9.
    
    Instead, the existence of a nested BB_START would cause the batch
    to be emitted in insecure mode, and any privileged capabilities
    would not be available.
    
    For Gen9, the cmdparser becomes mandatory (for BCS at least), and
    so not providing any form of nested BB_START support becomes
    overly restrictive. Any such batch will simply not run.
    
    We make heavy use of backward jumps in igt, and it is much easier
    to add support for this restricted subset of nested jumps, than to
    rewrite the whole of our test suite to avoid them.
    
    Add the required logic to support limited backward jumps, to
    instructions that have already been validated by the parser.
    
    Note that it's not sufficient to simply approve any BB_START
    that jumps backwards in the buffer because this would allow an
    attacker to embed a rogue instruction sequence within the
    operand words of a harmless instruction (say LRI) and jump to
    that.
    
    We introduce a bit array to track every instr offset successfully
    validated, and test the target of BB_START against this. If the
    target offset hits, it is re-written to the same offset in the
    shadow buffer and the BB_START cmd is allowed.
    
    Note: This patch deliberately ignores checkpatch issues in the
    cmdtables, in order to match the style of the surrounding code.
    We'll correct the entire file in one go in a later patch.
    
    v2: set dispatch secure late (Mika)
    v3: rebase (Mika)
    v4: Clear whitelist on each parse
    Minor review updates (Chris)
    v5: Correct backward jump batching
    v6: fix compilation error due to struct eb shuffle (Mika)
    Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
    Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
    
    CVE-2019-0155
    
    [tjaalton: backport to i915_bpo
     - intel_engine_cs struct members, variables got renamed s/ring/engine/,
       follow the same renaming here.]
    Signed-off-by: default avatarTimo Aaltonen <timo.aaltonen@canonical.com>
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    9c352afb
i915_drv.h 114 KB