From 13e1377044d581d692af77656e3bc32c9eb183f7 Mon Sep 17 00:00:00 2001 From: Ben Skeggs Date: Wed, 11 Jul 2007 12:38:48 +1000 Subject: nouveau: Some checks on userspace object handles. --- shared-core/nouveau_fifo.c | 3 +++ shared-core/nouveau_object.c | 26 +++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) (limited to 'shared-core') diff --git a/shared-core/nouveau_fifo.c b/shared-core/nouveau_fifo.c index bc3a9948..fcdc14c8 100644 --- a/shared-core/nouveau_fifo.c +++ b/shared-core/nouveau_fifo.c @@ -474,6 +474,9 @@ static int nouveau_ioctl_fifo_alloc(DRM_IOCTL_ARGS) DRM_COPY_FROM_USER_IOCTL(init, (drm_nouveau_fifo_alloc_t __user *) data, sizeof(init)); + if (init.fb_ctxdma_handle == ~0 || init.tt_ctxdma_handle == ~0) + return DRM_ERR(EINVAL); + res = nouveau_fifo_alloc(dev, &init.channel, filp, init.fb_ctxdma_handle, init.tt_ctxdma_handle); diff --git a/shared-core/nouveau_object.c b/shared-core/nouveau_object.c index dcb29b40..82944c2b 100644 --- a/shared-core/nouveau_object.c +++ b/shared-core/nouveau_object.c @@ -470,6 +470,26 @@ nouveau_gpuobj_new_ref(drm_device_t *dev, int oc, int rc, uint32_t handle, return 0; } +static int +nouveau_gpuobj_ref_find(drm_device_t *dev, int channel, uint32_t handle, + nouveau_gpuobj_ref_t **ref_ret) +{ + drm_nouveau_private_t *dev_priv = dev->dev_private; + struct nouveau_fifo *chan = dev_priv->fifos[channel]; + nouveau_gpuobj_ref_t *ref = chan->ramht_refs; + + while (ref) { + if (ref->handle == handle) { + if (ref_ret) + *ref_ret = ref; + return 0; + } + ref = ref->next; + } + + return DRM_ERR(EINVAL); +} + int nouveau_gpuobj_new_fake(drm_device_t *dev, uint32_t offset, uint32_t size, uint32_t flags, nouveau_gpuobj_t **pgpuobj, @@ -927,7 +947,11 @@ int nouveau_ioctl_grobj_alloc(DRM_IOCTL_ARGS) } //FIXME: check args, only allow trusted objects to be created - //FIXME: check for pre-existing handle + + if (init.handle == ~0) + return DRM_ERR(EINVAL); + if (nouveau_gpuobj_ref_find(dev, init.channel, init.handle, NULL) == 0) + return DRM_ERR(EEXIST); if ((ret = nouveau_gpuobj_gr_new(dev, init.channel, init.class, &gr))) { DRM_ERROR("Error creating gr object: %d (%d/0x%08x)\n", -- cgit v1.2.3