| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Nov 2020 14:47:53 -0500
From: Lyude Paul <lyude@...hat.com>
To: Ilia Mirkin <imirkin@...m.mit.edu>
Cc: dri-devel <dri-devel@...ts.freedesktop.org>,
Leon Romanovsky <leon@...nel.org>,
David Airlie <airlied@...ux.ie>, Chao Yu <chao@...nel.org>,
open list <linux-kernel@...r.kernel.org>,
Jason Gunthorpe <jgg@...pe.ca>,
"# 3.9+" <stable@...r.kernel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
Kalle Valo <kvalo@...eaurora.org>,
Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH] drm/edid: Fix uninitialized variable in drm_cvt_modes()
Sorry! Thought I had responded to this but apparently not, comments down below
On Thu, 2020-10-22 at 14:04 -0400, Ilia Mirkin wrote:
> On Thu, Oct 22, 2020 at 12:55 PM Lyude Paul <lyude@...hat.com> wrote:
> >
> > Noticed this when trying to compile with -Wall on a kernel fork. We
> > potentially
> > don't set width here, which causes the compiler to complain about width
> > potentially being uninitialized in drm_cvt_modes(). So, let's fix that.
> >
> > Signed-off-by: Lyude Paul <lyude@...hat.com>
> >
> > Cc: <stable@...r.kernel.org> # v5.9+
> > Fixes: 3f649ab728cd ("treewide: Remove uninitialized_var() usage")
> > Signed-off-by: Lyude Paul <lyude@...hat.com>
> > ---
> > drivers/gpu/drm/drm_edid.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
> > index 631125b46e04..2da158ffed8e 100644
> > --- a/drivers/gpu/drm/drm_edid.c
> > +++ b/drivers/gpu/drm/drm_edid.c
> > @@ -3094,6 +3094,7 @@ static int drm_cvt_modes(struct drm_connector
> > *connector,
> >
> > for (i = 0; i < 4; i++) {
> > int width, height;
> > + u8 cvt_aspect_ratio;
> >
> > cvt = &(timing->data.other_data.data.cvt[i]);
> >
> > @@ -3101,7 +3102,8 @@ static int drm_cvt_modes(struct drm_connector
> > *connector,
> > continue;
> >
> > height = (cvt->code[0] + ((cvt->code[1] & 0xf0) << 4) + 1) *
> > 2;
> > - switch (cvt->code[1] & 0x0c) {
> > + cvt_aspect_ratio = cvt->code[1] & 0x0c;
> > + switch (cvt_aspect_ratio) {
> > case 0x00:
> > width = height * 4 / 3;
> > break;
> > @@ -3114,6 +3116,10 @@ static int drm_cvt_modes(struct drm_connector
> > *connector,
> > case 0x0c:
> > width = height * 15 / 9;
> > break;
> > + default:
>
> What value would cvt->code[1] have such that this gets hit?
>
> Or is this a "compiler is broken, so let's add more code" situation?
> If so, perhaps the code added could just be enough to silence the
> compiler (unreachable, etc)?
I mean, this information comes from the EDID which inherently means it's coming
from an untrusted source so the value could be literally anything as long as the
EDID has a valid checksum. Note (assuming I'm understanding this code
correctly):
drm_add_edid_modes() → add_cvt_modes() → drm_for_each_detailed_block() →
do_cvt_mode() → drm_cvt_modes()
So afaict this isn't a broken compiler but a legitimate uninitialized variable.
>
> -ilia
>
--
Sincerely,
Lyude Paul (she/her)
Software Engineer at Red Hat
Note: I deal with a lot of emails and have a lot of bugs on my plate. If you've
asked me a question, are waiting for a review/merge on a patch, etc. and I
haven't responded in a while, please feel free to send me another email to check
on my status. I don't bite!
Powered by blists - more mailing lists