From 13d07978ff8c35897f4164d9455c7410ade9f4e2 Mon Sep 17 00:00:00 2001 From: Alyssa Rosenzweig Date: Mon, 19 Aug 2019 10:56:23 -0700 Subject: [PATCH] pan/decode: Bounds check polygon list and tiler heap We have the BOs available; ensure that the bounds specified in the command stream are actually the correct bounds. Signed-off-by: Alyssa Rosenzweig --- src/panfrost/pandecode/decode.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/panfrost/pandecode/decode.c b/src/panfrost/pandecode/decode.c index 782ad2991fc..fb91e2eaa7c 100644 --- a/src/panfrost/pandecode/decode.c +++ b/src/panfrost/pandecode/decode.c @@ -494,13 +494,28 @@ pandecode_midgard_tiler_descriptor(const struct midgard_tiler_descriptor *t) /* It needs to fit inside the reported size */ assert(t->polygon_list_size >= body_offset); - /* TODO: Check BO size */ + /* Check that we fit */ + struct pandecode_mapped_memory *plist = + pandecode_find_mapped_gpu_mem_containing(t->polygon_list); + + assert(t->polygon_list_size <= plist->length); + pandecode_msg("body offset %d\n", body_offset); - /* The tiler heap has a start and end specified. TODO: Check size */ + /* The tiler heap has a start and end specified, so check that + * everything fits in a contiguous BO (otherwise, we risk out-of-bounds + * reads) */ + MEMORY_PROP(t, heap_start); assert(t->heap_end >= t->heap_start); - pandecode_msg("heap size %d\n", t->heap_end - t->heap_start); + + struct pandecode_mapped_memory *heap = + pandecode_find_mapped_gpu_mem_containing(t->heap_start); + + unsigned heap_size = t->heap_end - t->heap_start; + assert(heap_size <= heap->length); + + pandecode_msg("heap size %d\n", heap_size); bool nonzero_weights = false; -- 2.30.2