Skip to content

Commit debd623

Browse files
malayakusraman4
malayaku
authored and
sraman4
committed
ZC v2026 : Add error handling, boundary checks and simplify version generation
Signed-off-by: Malaya Kumar Parida <malaya.kumar.parida@intel.com>
1 parent 6e77c70 commit debd623

18 files changed

+314
-303
lines changed

DVServerKMD/DVServerKMD.rc

Lines changed: 23 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -7,26 +7,27 @@
77
; File Description:
88
; This file will have the DVServerKMD resources
99
;--------------------------------------------------------------------------*/
10+
#include "winver.h"
11+
#include "version.h"
1012

11-
#include <winver.h>
12-
13-
VS_VERSION_INFO VERSIONINFO
14-
FILEVERSION ${FileVersion}
15-
PRODUCTVERSION ${ProductVersion}
16-
BEGIN
17-
BLOCK "StringFileInfo"
18-
BEGIN
19-
BLOCK "040904B0"
20-
BEGIN
21-
VALUE "FileVersion", "${FileVersion}"
22-
VALUE "ProductVersion", "${ProductVersionString}"
23-
VALUE "ProductName", "DVServerKMD.dll"
24-
VALUE "LegalCopyright", "Copyright (C) 2021 Intel Corporation"
25-
VALUE "FileDescription", "Display Virtualization Kernel Mode Driver"
26-
END
27-
END
28-
BLOCK "VarFileInfo"
29-
BEGIN
30-
VALUE "Translation", 0x409, 1200
31-
END
32-
END
13+
VS_VERSION_INFO VERSIONINFO
14+
FILEVERSION FILE_VERSION
15+
PRODUCTVERSION PRODUCT_VERSION
16+
{
17+
BLOCK "StringFileInfo"
18+
{
19+
BLOCK "040904b0"
20+
{
21+
VALUE "FileDescription", "Display Virtualization Kernel Mode Driver"
22+
VALUE "FileVersion", FILE_VERSION_STR
23+
VALUE "LegalCopyright", "Copyright (C) 2021 Intel Corporation"
24+
VALUE "ProductName", "DVServerKMD.dll"
25+
VALUE "ProductVersion", PRODUCT_VERSION_STR
26+
}
27+
}
28+
BLOCK "VarFileInfo"
29+
{
30+
VALUE "Translation", 0x409, 1200
31+
}
32+
}
33+

DVServerKMD/DVServerKMD.vcxproj

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@
1212
</ItemGroup>
1313
<ItemGroup>
1414
<None Include="ReadMe.txt" />
15-
<None Include="UpdateVersion.targets" />
1615
</ItemGroup>
1716
<ItemGroup>
1817
<ClCompile Include="baseobj.cpp" />
@@ -152,5 +151,10 @@ certmgr -del -c -n "DVServerKMD" -s PrivateCertStore</Command>
152151
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
153152
<ImportGroup Label="ExtensionTargets">
154153
</ImportGroup>
155-
<Import Project="UpdateVersion.targets" />
154+
<Target Name="GenerateVersionHeader" BeforeTargets="ClCompile">
155+
<Exec
156+
Command="&quot;$(SolutionDir)generate_version_header.bat&quot; &quot;$(ProjectDir)DVServerKMD_Version.txt&quot; &quot;$(ProjectDir)&quot;"
157+
WorkingDirectory="$(ProjectDir)"
158+
/>
159+
</Target>
156160
</Project>

DVServerKMD/Public.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ DEFINE_GUID(GUID_DEVINTERFACE_DVServerKMD,
2525
// {1c514918-a855-460a-97da-ed691dd563cf}
2626

2727
#define MAX_SCAN_OUT 4
28+
#define MODE_LIST_MAX_SIZE 32
2829
#define IOCTL_DVSERVER_FRAME_DATA CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS)
2930
#define IOCTL_DVSERVER_CURSOR_DATA CTL_CODE(FILE_DEVICE_UNKNOWN, 0x808, METHOD_BUFFERED, FILE_ANY_ACCESS)
3031
#define IOCTL_DVSERVER_GET_EDID_DATA CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_BUFFERED, FILE_ANY_ACCESS)
@@ -77,7 +78,7 @@ struct edid_info
7778
unsigned char edid_data[256];
7879
unsigned int mode_size;
7980
unsigned int screen_num;
80-
mode_info* mode_list;
81+
struct mode_info mode_list[MODE_LIST_MAX_SIZE];
8182
};
8283

8384
struct screen_info

DVServerKMD/Queue.cpp

Lines changed: 108 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,13 @@ Return Value:
154154
ERR("IoctlRequestPresentFb failed with status = %d\n", status);
155155
return;
156156
}
157-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&resp, &bufSize);
157+
158+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
159+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
160+
return;
161+
}
162+
163+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&resp, &bufSize);
158164
if (!NT_SUCCESS(status)) {
159165
ERR("Couldn't retrieve Output buffer\n");
160166
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -175,7 +181,12 @@ Return Value:
175181
return;
176182
}
177183

178-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&resp, &bufSize);
184+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
185+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
186+
return;
187+
}
188+
189+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&resp, &bufSize);
179190
if (!NT_SUCCESS(status)) {
180191
ERR("Couldn't retrieve Output buffer\n");
181192
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -195,7 +206,12 @@ Return Value:
195206
return;
196207
}
197208

198-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&resp, &bufSize);
209+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
210+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
211+
return;
212+
}
213+
214+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&resp, &bufSize);
199215
if (!NT_SUCCESS(status)) {
200216
ERR("Couldn't retrieve Output buffer\n");
201217
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -217,7 +233,13 @@ Return Value:
217233
status = IoctlRequestSetMode(pDeviceContext, InputBufferLength, OutputBufferLength, Request, &bytesReturned);
218234
if (status != STATUS_SUCCESS)
219235
return;
220-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&resp, &bufSize);
236+
237+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
238+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
239+
return;
240+
}
241+
242+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&resp, &bufSize);
221243
if (!NT_SUCCESS(status)) {
222244
ERR("Couldn't retrieve Output buffer\n");
223245
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -233,7 +255,13 @@ Return Value:
233255
status = IoctlRequestPresentFb(pDeviceContext, InputBufferLength, OutputBufferLength, Request, &bytesReturned);
234256
if (status != STATUS_SUCCESS)
235257
return;
236-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&resp, &bufSize);
258+
259+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
260+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
261+
return;
262+
}
263+
264+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&resp, &bufSize);
237265
if (!NT_SUCCESS(status)) {
238266
ERR("Couldn't retrieve Output buffer\n");
239267
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -356,6 +384,11 @@ static NTSTATUS IoctlRequestSetMode(
356384
return status;
357385
}
358386

387+
if (InputBufferLength < sizeof(struct FrameMetaData)) {
388+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct FrameMetaData));
389+
return STATUS_BUFFER_TOO_SMALL;
390+
}
391+
359392
status = WdfRequestRetrieveInputBuffer(Request, InputBufferLength, (PVOID*)&ptr, NULL);
360393
if (!NT_SUCCESS(status)) {
361394
ERR("Couldn't retrieve Input buffer\n");
@@ -425,6 +458,11 @@ static NTSTATUS IoctlRequestPresentFb(
425458
return status;
426459
}
427460

461+
if (InputBufferLength < sizeof(struct FrameMetaData)) {
462+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct FrameMetaData));
463+
return STATUS_BUFFER_TOO_SMALL;
464+
}
465+
428466
status = WdfRequestRetrieveInputBuffer(Request, InputBufferLength, (PVOID*)&ptr, NULL);
429467
if (!NT_SUCCESS(status)) {
430468
ERR("Couldn't retrieve Input buffer\n");
@@ -462,8 +500,6 @@ static NTSTATUS IoctlRequestEdid(
462500
const WDFREQUEST Request,
463501
size_t* BytesReturned)
464502
{
465-
UNREFERENCED_PARAMETER(InputBufferLength);
466-
UNREFERENCED_PARAMETER(OutputBufferLength);
467503
UNREFERENCED_PARAMETER(BytesReturned);
468504
TRACING();
469505

@@ -482,8 +518,12 @@ static NTSTATUS IoctlRequestEdid(
482518
return status;
483519
}
484520
}
521+
if (InputBufferLength < sizeof(struct edid_info)) {
522+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct edid_info));
523+
return STATUS_BUFFER_TOO_SMALL;
524+
}
485525

486-
status = WdfRequestRetrieveInputBuffer(Request, 0, (PVOID*)&edata, &bufSize);
526+
status = WdfRequestRetrieveInputBuffer(Request, sizeof(struct edid_info), (PVOID*)&edata, &bufSize);
487527
if (!NT_SUCCESS(status)) {
488528
ERR("Couldn't retrieve Input buffer\n");
489529
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -497,34 +537,27 @@ static NTSTATUS IoctlRequestEdid(
497537
return status;
498538
}
499539

500-
if (edata->mode_size == 0) {
501-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&edata, &bufSize);
502-
if (!NT_SUCCESS(status)) {
503-
ERR("Couldn't retrieve Output buffer\n");
504-
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
505-
return status;
506-
}
507-
508-
//Return value from the KMDF DVServer
509-
if (pAdapter->GetModeListSize(edata->screen_num) != 0) {
510-
edata->mode_size = pAdapter->GetModeListSize(edata->screen_num);
511-
} else {
512-
edata->mode_size = QEMU_MODELIST_SIZE;
513-
}
514-
WdfRequestSetInformation(Request, sizeof(struct edid_info));
515-
} else if ((edata->mode_size == pAdapter->GetModeListSize(edata->screen_num)) || (edata->mode_size == QEMU_MODELIST_SIZE)) {
516-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&edata, &bufSize);
517-
if (!NT_SUCCESS(status)) {
518-
ERR("Couldn't retrieve Output buffer\n");
519-
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
520-
return status;
521-
}
522-
//Return value from the KMDF DVServer
523-
RtlCopyMemory(edata->edid_data, pAdapter->GetEdidData(edata->screen_num), EDID_V1_BLOCK_SIZE);
540+
if (OutputBufferLength < sizeof(struct edid_info)) {
541+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct edid_info));
542+
return STATUS_BUFFER_TOO_SMALL;
543+
}
524544

525-
pAdapter->CopyResolution(edata->screen_num, edata);
526-
WdfRequestSetInformation(Request, sizeof(struct edid_info));
545+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct edid_info), (PVOID*)&edata, &bufSize);
546+
if (!NT_SUCCESS(status)) {
547+
ERR("Couldn't retrieve Output buffer\n");
548+
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
549+
return status;
527550
}
551+
//Return value from the KMDF DVServer
552+
if (pAdapter->GetModeListSize(edata->screen_num) != 0) {
553+
edata->mode_size = pAdapter->GetModeListSize(edata->screen_num);
554+
}
555+
else {
556+
edata->mode_size = QEMU_MODELIST_SIZE;
557+
}
558+
RtlCopyMemory(edata->edid_data, pAdapter->GetEdidData(edata->screen_num), EDID_V1_BLOCK_SIZE);
559+
pAdapter->CopyResolution(edata->screen_num, edata);
560+
WdfRequestSetInformation(Request, sizeof(struct edid_info));
528561
return STATUS_SUCCESS;
529562
}
530563

@@ -537,7 +570,6 @@ static NTSTATUS IoctlRequestTotalScreens(
537570
{
538571
TRACING();
539572
UNREFERENCED_PARAMETER(InputBufferLength);
540-
UNREFERENCED_PARAMETER(OutputBufferLength);
541573
UNREFERENCED_PARAMETER(BytesReturned);
542574

543575
NTSTATUS status = STATUS_UNSUCCESSFUL;
@@ -552,7 +584,12 @@ static NTSTATUS IoctlRequestTotalScreens(
552584
return status;
553585
}
554586

555-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&mdata, &bufSize);
587+
if (OutputBufferLength < sizeof(struct KMDF_IOCTL_Response)) {
588+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct KMDF_IOCTL_Response));
589+
return STATUS_BUFFER_TOO_SMALL;
590+
}
591+
592+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct KMDF_IOCTL_Response), (PVOID*)&mdata, &bufSize);
556593
if (!NT_SUCCESS(status)) {
557594
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
558595
return status;
@@ -573,16 +610,19 @@ static NTSTATUS IoctlRequestHPEventInfo(
573610
{
574611
TRACING();
575612
UNREFERENCED_PARAMETER(DeviceContext);
576-
UNREFERENCED_PARAMETER(InputBufferLength);
577-
UNREFERENCED_PARAMETER(OutputBufferLength);
578613
UNREFERENCED_PARAMETER(Request);
579614
UNREFERENCED_PARAMETER(BytesReturned);
580615

581616
NTSTATUS status = STATUS_UNSUCCESSFUL;
582617
struct hp_info* info = NULL;
583618
size_t bufSize;
584619

585-
status = WdfRequestRetrieveInputBuffer(Request, 0, (PVOID*)&info, &bufSize);
620+
if (InputBufferLength < sizeof(struct hp_info)) {
621+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct hp_info));
622+
return STATUS_BUFFER_TOO_SMALL;
623+
}
624+
625+
status = WdfRequestRetrieveInputBuffer(Request, sizeof(struct hp_info), (PVOID*)&info, &bufSize);
586626
if (!NT_SUCCESS(status)) {
587627
ERR("Couldn't retrieve Input buffer\n");
588628
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
@@ -596,7 +636,13 @@ static NTSTATUS IoctlRequestHPEventInfo(
596636
ERR("Couldn't find adapter\n");
597637
return status;
598638
}
599-
status = WdfRequestRetrieveOutputBuffer(Request, 0, (PVOID*)&info, &bufSize);
639+
640+
if (OutputBufferLength < sizeof(struct hp_info)) {
641+
ERR("Output Buffer is too small: provided = %Iu, expected >= %Iu\n", OutputBufferLength, sizeof(struct hp_info));
642+
return STATUS_BUFFER_TOO_SMALL;
643+
}
644+
645+
status = WdfRequestRetrieveOutputBuffer(Request, sizeof(struct hp_info), (PVOID*)&info, &bufSize);
600646
if (!NT_SUCCESS(status)) {
601647
WdfRequestComplete(Request, STATUS_INSUFFICIENT_RESOURCES);
602648
return status;
@@ -628,6 +674,11 @@ static NTSTATUS IoctlSetPointerShape(
628674
return status;
629675
}
630676

677+
if (InputBufferLength < sizeof(struct CursorData)) {
678+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct CursorData));
679+
return STATUS_BUFFER_TOO_SMALL;
680+
}
681+
631682
status = WdfRequestRetrieveInputBuffer(Request, InputBufferLength, (PVOID*)&cptr, &bufSize);
632683
if (!NT_SUCCESS(status)) {
633684
ERR("Couldn't retrieve Input buffer\n");
@@ -639,6 +690,12 @@ static NTSTATUS IoctlSetPointerShape(
639690
return STATUS_UNSUCCESSFUL;
640691
}
641692

693+
if (cptr->screen_num >= MAX_SCAN_OUT) {
694+
ERR("Screen number provided by UMD: %d is greater than or equal to the maximum supported: %d by the KMD\n",
695+
cptr->screen_num, MAX_SCAN_OUT);
696+
return STATUS_UNSUCCESSFUL;
697+
}
698+
642699
RtlZeroMemory(&pointerShape, sizeof(POINTER_SHAPE));
643700
pointerShape.pointer.VidPnSourceId = cptr->screen_num;
644701
pointerShape.pointer.Height = cptr->height;
@@ -679,6 +736,11 @@ static NTSTATUS IoctlSetPointerPosition(
679736
return status;
680737
}
681738

739+
if (InputBufferLength < sizeof(struct CursorData)) {
740+
ERR("Input Buffer is too small: provided = %Iu, expected >= %Iu\n", InputBufferLength, sizeof(struct CursorData));
741+
return STATUS_BUFFER_TOO_SMALL;
742+
}
743+
682744
status = WdfRequestRetrieveInputBuffer(Request, InputBufferLength, (PVOID*)&cptr, &bufSize);
683745
if (!NT_SUCCESS(status)) {
684746
ERR("Couldn't retrieve Input buffer\n");
@@ -690,6 +752,12 @@ static NTSTATUS IoctlSetPointerPosition(
690752
return STATUS_UNSUCCESSFUL;
691753
}
692754

755+
if (cptr->screen_num >= MAX_SCAN_OUT) {
756+
ERR("Screen number provided by UMD: %d is greater than or equal to the maximum supported: %d by the KMD\n",
757+
cptr->screen_num, MAX_SCAN_OUT);
758+
return STATUS_UNSUCCESSFUL;
759+
}
760+
693761
RtlZeroMemory(&pointerPosition, sizeof(DXGKARG_SETPOINTERPOSITION));
694762
pointerPosition.X = cptr->cursor_x;
695763
pointerPosition.Y = cptr->cursor_y;

0 commit comments

Comments
 (0)