lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202112190934.db7anVBT-lkp@intel.com>
Date:   Wed, 5 Jan 2022 13:11:22 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Aurabindo Pillai <aurabindo.pillai@....com>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org,
        Alex Deucher <alexander.deucher@....com>,
        Chris Park <Chris.Park@....com>
Subject: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn303/dcn303_resource.c:533
 dcn303_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 2 <=
 4

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   3f667b5d4053ad54aee13dab5c94f04ff75ddfdf
commit: cd6d421e3d1ad5926b74091254e345db730e7706 drm/amd/display: Initial DC support for Beige Goby
config: x86_64-randconfig-m001-20211207 (https://download.01.org/0day-ci/archive/20211219/202112190934.db7anVBT-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

New smatch warnings:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn303/dcn303_resource.c:533 dcn303_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 2 <= 4

Old smatch warnings:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn303/dcn303_resource.c:531 dcn303_stream_encoder_create() warn: possible memory leak of 'enc1'

vim +/stream_enc_regs +533 drivers/gpu/drm/amd/amdgpu/../display/dc/dcn303/dcn303_resource.c

cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  511  static struct stream_encoder *dcn303_stream_encoder_create(enum engine_id eng_id, struct dc_context *ctx)
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  512  {
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  513  	struct dcn10_stream_encoder *enc1;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  514  	struct vpg *vpg;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  515  	struct afmt *afmt;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  516  	int vpg_inst;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  517  	int afmt_inst;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  518  
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  519  	/* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  520  	if (eng_id <= ENGINE_ID_DIGE) {
                                                            ^^^^^^^^^^^^^^^^^^^^^^^^
eng_id <= 4

cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  521  		vpg_inst = eng_id;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  522  		afmt_inst = eng_id;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  523  	} else
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  524  		return NULL;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  525  
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  526  	enc1 = kzalloc(sizeof(struct dcn10_stream_encoder), GFP_KERNEL);
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  527  	vpg = dcn303_vpg_create(ctx, vpg_inst);
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  528  	afmt = dcn303_afmt_create(ctx, afmt_inst);
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  529  
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  530  	if (!enc1 || !vpg || !afmt)
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  531  		return NULL;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  532  
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15 @533  	dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, eng_id, vpg, afmt, &stream_enc_regs[eng_id],
                                                                                                                                       ^^^^^^^^^^^^^^^^^^^^^^^^
Out of bounds.  (I have not reviewed the context but these warnings are
pretty reliable).

cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  534  			&se_shift, &se_mask);
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  535  
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  536  	return &enc1->base;
cd6d421e3d1ad5 Aurabindo Pillai 2021-03-15  537  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ