lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 18 May 2022 09:57:16 +0200
From:   Andrzej Hajda <andrzej.hajda@...el.com>
To:     Hangyu Hua <hbh25y@...il.com>, <narmstrong@...libre.com>,
        <robert.foss@...aro.org>, <Laurent.pinchart@...asonboard.com>,
        <jonas@...boo.se>, <jernej.skrabec@...il.com>, <airlied@...ux.ie>,
        <daniel@...ll.ch>, <architt@...eaurora.org>
CC:     <dri-devel@...ts.freedesktop.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drm: bridge: sii8620: fix possible off-by-one



On 18.05.2022 08:58, Hangyu Hua wrote:
> The next call to sii8620_burst_get_tx_buf will result in off-by-one
> When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same
> thing happens in sii8620_burst_get_rx_buf.
>
> This patch also change tx_count and tx_buf to rx_count and rx_buf in
> sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and
> use rx_buf.
>
> Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions")
> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
Reviewed-by: Andrzej Hajda <andrzej.hajda@...el.com>

Regards
Andrzej
> ---
>   drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
> index ec7745c31da0..ab0bce4a988c 100644
> --- a/drivers/gpu/drm/bridge/sil-sii8620.c
> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c
> @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len)
>   	u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count];
>   	int size = len + 2;
>   
> -	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
> +	if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) {
>   		dev_err(ctx->dev, "TX-BLK buffer exhausted\n");
>   		ctx->error = -EINVAL;
>   		return NULL;
> @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len)
>   	u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count];
>   	int size = len + 1;
>   
> -	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
> +	if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) {
>   		dev_err(ctx->dev, "RX-BLK buffer exhausted\n");
>   		ctx->error = -EINVAL;
>   		return NULL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ