lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Oct 2019 18:32:35 +0200
From:   Daniel Vetter <daniel@...ll.ch>
To:     Colin Ian King <colin.king@...onical.com>
Cc:     Harry Wentland <harry.wentland@....com>,
        Leo Li <sunpeng.li@....com>,
        Alex Deucher <alexander.deucher@....com>,
        Christian König <christian.koenig@....com>,
        "David (ChunMing) Zhou" <David1.Zhou@....com>,
        David Airlie <airlied@...ux.ie>,
        Daniel Vetter <daniel@...ll.ch>,
        amd-gfx mailing list <amd-gfx@...ts.freedesktop.org>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        Bhawanpreet Lakha <Bhawanpreet.Lakha@....com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: drm/amd/display: Add HDCP module - static analysis bug report

On Thu, Oct 03, 2019 at 11:08:03PM +0100, Colin Ian King wrote:
> Hi,
> 
> Static analysis with Coverity has detected a potential issue with
> function validate_bksv in
> drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c with recent
> commit:
> 
> commit ed9d8e2bcb003ec94658cafe9b1bb3960e2139ec
> Author: Bhawanpreet Lakha <Bhawanpreet.Lakha@....com>
> Date:   Tue Aug 6 17:52:01 2019 -0400
> 
>     drm/amd/display: Add HDCP module

I think the real question here is ... why is this not using drm_hdcp?
-Daniel

> 
> 
> The analysis is as follows:
> 
>  28 static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp)
>  29 {
> 
> CID 89852 (#1 of 1): Out-of-bounds read (OVERRUN)
> 
> 1. overrun-local:
> Overrunning array of 5 bytes at byte offset 7 by dereferencing pointer
> (uint64_t *)hdcp->auth.msg.hdcp1.bksv.
> 
>  30        uint64_t n = *(uint64_t *)hdcp->auth.msg.hdcp1.bksv;
>  31        uint8_t count = 0;
>  32
>  33        while (n) {
>  34                count++;
>  35                n &= (n - 1);
>  36        }
> 
> hdcp->auth.msg.hdcp1.bksv is an array of 5 uint8_t as defined in
> drivers/gpu/drm/amd/display/modules/hdcp/hdcp.h as follows:
> 
> struct mod_hdcp_message_hdcp1 {
>         uint8_t         an[8];
>         uint8_t         aksv[5];
>         uint8_t         ainfo;
>         uint8_t         bksv[5];
>         uint16_t        r0p;
>         uint8_t         bcaps;
>         uint16_t        bstatus;
>         uint8_t         ksvlist[635];
>         uint16_t        ksvlist_size;
>         uint8_t         vp[20];
> 
>         uint16_t        binfo_dp;
> };
> 
> variable n is going to contain the contains of r0p and bcaps. I'm not
> sure if that is intentional. If not, then the count is going to be
> incorrect if these are non-zero.
> 
> Colin

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ