From 3f8a8d3a24e358f839fcb512a4f6dc56b525bd56 Mon Sep 17 00:00:00 2001 From: baggins183 Date: Tue, 3 Sep 2024 03:58:45 -0700 Subject: [PATCH] video_core: Add bounds checking for subspan use in liverpool functions (#717) --- src/video_core/amdgpu/liverpool.cpp | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/video_core/amdgpu/liverpool.cpp b/src/video_core/amdgpu/liverpool.cpp index 2a595516d..35003e1a1 100644 --- a/src/video_core/amdgpu/liverpool.cpp +++ b/src/video_core/amdgpu/liverpool.cpp @@ -20,6 +20,20 @@ static const char* acb_task_name{"ACB_TASK"}; std::array Liverpool::ConstantEngine::constants_heap; +static std::span NextPacket(std::span span, size_t offset) { + if (offset > span.size()) { + LOG_ERROR( + Lib_GnmDriver, + ": packet length exceeds remaining submission size. Packet dword count={}, remaining " + "submission dwords={}", + offset, span.size()); + // Return empty subspan so check for next packet bails out + return {}; + } + + return span.subspan(offset); +} + Liverpool::Liverpool() { process_thread = std::jthread{std::bind_front(&Liverpool::Process, this)}; } @@ -150,7 +164,7 @@ Liverpool::Task Liverpool::ProcessCeUpdate(std::span ccb) { UNREACHABLE_MSG("Unknown PM4 type 3 opcode {:#x} with count {}", static_cast(opcode), count); } - ccb = ccb.subspan(header->type3.NumWords() + 1); + ccb = NextPacket(ccb, header->type3.NumWords() + 1); } TracyFiberLeave; @@ -184,7 +198,7 @@ Liverpool::Task Liverpool::ProcessGraphics(std::span dcb, std::spantype3.NumWords(); @@ -525,7 +539,7 @@ Liverpool::Task Liverpool::ProcessGraphics(std::span dcb, std::span(opcode), count); } - dcb = dcb.subspan(header->type3.NumWords() + 1); + dcb = NextPacket(dcb, header->type3.NumWords() + 1); break; } } @@ -627,7 +641,7 @@ Liverpool::Task Liverpool::ProcessCompute(std::span acb, int vqid) { static_cast(opcode), count); } - acb = acb.subspan(header->type3.NumWords() + 1); + acb = NextPacket(acb, header->type3.NumWords() + 1); } TracyFiberLeave;