lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160504171135.GF1286@phenom.ffwll.local>
Date:	Wed, 4 May 2016 19:11:35 +0200
From:	Daniel Vetter <daniel@...ll.ch>
To:	Lyude <cpaul@...hat.com>
Cc:	intel-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
	open list <linux-kernel@...r.kernel.org>,
	stable@...r.kernel.org
Subject: Re: [PATCH 2/3] drm/fb_helper: Fix references to
 dev->mode_config.num_connector

On Wed, May 04, 2016 at 11:28:52AM -0400, Lyude wrote:
> During boot, MST hotplugs are generally expected (even if no physical
> hotplugging occurs) and result in DRM's connector topology changing.
> This means that using num_connector from the current mode configuration
> can lead to the number of connectors changing under us. This can lead to
> some nasty scenarios in fbcon:
> 
> - We allocate an array to the size of dev->mode_config.num_connectors.
> - MST hotplug occurs, dev->mode_config.num_connectors gets incremented.
> - We try to loop through each element in the array using the new value
>   of dev->mode_config.num_connectors, and end up going out of bounds
>   since dev->mode_config.num_connectors is now larger then the array we
>   allocated.
> 
> fb_helper->connector_count however, will always remain consistent while
> we do a modeset in fb_helper.
> 
> Cc: stable@...r.kernel.org
> Signed-off-by: Lyude <cpaul@...hat.com>

Ok, this one looks like it's indeed in the same critical section (within
drm_setup_outputs) as where we allocate the fb helper connector array. So
I think this one here is not needed to fix a bug?

Still makes sense as a patch, but not with cc: stable I think.
-Daniel

> ---
>  drivers/gpu/drm/drm_fb_helper.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index 855108e..15204c0 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -1914,7 +1914,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
>  	if (modes[n] == NULL)
>  		return best_score;
>  
> -	crtcs = kzalloc(dev->mode_config.num_connector *
> +	crtcs = kzalloc(fb_helper->connector_count *
>  			sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL);
>  	if (!crtcs)
>  		return best_score;
> @@ -1960,7 +1960,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
>  		if (score > best_score) {
>  			best_score = score;
>  			memcpy(best_crtcs, crtcs,
> -			       dev->mode_config.num_connector *
> +			       fb_helper->connector_count *
>  			       sizeof(struct drm_fb_helper_crtc *));
>  		}
>  	}
> -- 
> 2.5.5
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@...ts.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ