Security and optimization fixes for the via drm:

1. The command verifier was never initialized in the non-core source tree. 2. Check added that the AGP ring buffer has been initialized before accepting command buffer. 3. Free space check in the AGP buffer is moved to after command verification, which is more optimal in most cases.
2025-12-25 03:40:10 +01:00 · 2004-12-06 11:19:23 +00:00 · 2004-12-06 11:19:23 +00:00 · 1fbfd9eb32
commit 1fbfd9eb32
parent 267e064527
5 changed files with 32 additions and 14 deletions
--- a/shared-core/via_dma.c
+++ b/shared-core/via_dma.c
@ -170,19 +170,22 @@ int via_dma_init(DRM_IOCTL_ARGS)

 static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd)
 {
-	drm_via_private_t *dev_priv = dev->dev_private;
+	drm_via_private_t *dev_priv;
 	uint32_t *vb;
 	int ret;

+	dev_priv = (drm_via_private_t *) dev->dev_private;
+
+	if (dev_priv->ring.virtual_start == NULL) {
+		DRM_ERROR("%s called without initializing AGP ring buffer.\n",
+			  __FUNCTION__);
+		return DRM_ERR(EFAULT);
+	}

 	if (cmd->size > pci_bufsiz && pci_bufsiz > 0) {
 		return DRM_ERR(ENOMEM);
 	} 

-	vb = via_check_dma(dev_priv, cmd->size);
-	if (vb == NULL) {
-		return DRM_ERR(EAGAIN);
-	}

 	if (DRM_COPY_FROM_USER(pci_buf, cmd->buf, cmd->size))
 		return DRM_ERR(EFAULT);
@ -198,6 +201,11 @@ static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd)
 		return ret;
 	}
       	
+	vb = via_check_dma(dev_priv, cmd->size);
+	if (vb == NULL) {
+		return DRM_ERR(EAGAIN);
+	}
+
 	memcpy(vb, pci_buf, cmd->size);
 	
 	dev_priv->dma_low += cmd->size;
--- a/shared-core/via_drv.h
+++ b/shared-core/via_drv.h
@ -28,11 +28,11 @@

 #define DRIVER_NAME		"via"
 #define DRIVER_DESC		"VIA Unichrome"
-#define DRIVER_DATE		"20041204"
+#define DRIVER_DATE		"20041206"

 #define DRIVER_MAJOR		2
 #define DRIVER_MINOR		2
-#define DRIVER_PATCHLEVEL	0
+#define DRIVER_PATCHLEVEL	1

 typedef struct drm_via_ring_buffer {
 	drm_map_t map;
--- a/shared/via.h
+++ b/shared/via.h
@ -30,11 +30,11 @@

 #define DRIVER_NAME		"via"
 #define DRIVER_DESC		"VIA Unichrome"
-#define DRIVER_DATE		"20041204"
+#define DRIVER_DATE		"20041206"

 #define DRIVER_MAJOR		2
 #define DRIVER_MINOR		2
-#define DRIVER_PATCHLEVEL	0
+#define DRIVER_PATCHLEVEL	1

 #define DRIVER_IOCTLS							\
        [DRM_IOCTL_NR(DRM_IOCTL_VIA_ALLOCMEM)]  = { via_mem_alloc,  1, 0 }, \
--- a/shared/via_dma.c
+++ b/shared/via_dma.c
@ -171,19 +171,23 @@ int via_dma_init(DRM_IOCTL_ARGS)

 static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd)
 {
-	drm_via_private_t *dev_priv = dev->dev_private;
+        drm_via_private_t *dev_priv;
 	uint32_t *vb;
 	int ret;


+	dev_priv = (drm_via_private_t *) dev->dev_private;
+
+	if (dev_priv->ring.virtual_start == NULL) {
+		DRM_ERROR("%s called without initializing AGP ring buffer.\n",
+			  __FUNCTION__);
+		return DRM_ERR(EFAULT);
+	}
+
 	if (cmd->size > pci_bufsiz && pci_bufsiz > 0) {
 		return DRM_ERR(ENOMEM);
 	} 

-	vb = via_check_dma(dev_priv, cmd->size);
-	if (vb == NULL) {
-		return DRM_ERR(EAGAIN);
-	}

 	if (DRM_COPY_FROM_USER(pci_buf, cmd->buf, cmd->size))
 		return DRM_ERR(EFAULT);
@ -199,6 +203,11 @@ static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd)
 		return ret;
 	}
       	
+	vb = via_check_dma(dev_priv, cmd->size);
+	if (vb == NULL) {
+		return DRM_ERR(EAGAIN);
+	}
+
 	memcpy(vb, pci_buf, cmd->size);
 	
 	dev_priv->dma_low += cmd->size;
--- a/shared/via_map.c
+++ b/shared/via_map.c
@ -33,6 +33,7 @@ int via_do_init_map(drm_device_t * dev, drm_via_init_t * init)

 	DRM_DEBUG("%s\n", __FUNCTION__);

+	via_init_command_verifier();
 	dev_priv = DRM(alloc) (sizeof(drm_via_private_t), DRM_MEM_DRIVER);
 	if (dev_priv == NULL)
 		return -ENOMEM;