| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f848623a-a1de-23f1-3334-5cf4ea0f4d89@amd.com>
Date: Wed, 4 Jan 2023 17:22:46 -0500
From: Hamza Mahfooz <hamza.mahfooz@....com>
To: wenyang.linux@...mail.com,
Alex Deucher <alexander.deucher@....com>,
Aurabindo Pillai <aurabindo.pillai@....com>
Cc: Guenter Roeck <linux@...ck-us.net>,
Harry Wentland <harry.wentland@....com>,
Leo Li <sunpeng.li@....com>, amd-gfx@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm/amd/display: fix array-bounds errors in dc_stream_remove_writeback()
On 12/25/22 10:10, wenyang.linux@...mail.com wrote:
> From: Wen Yang <wenyang.linux@...mail.com>
>
> The following errors occurred when using gcc 7.5.0-3ubuntu1~18.04:
> drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function ‘dc_stream_remove_writeback’:
> drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:543:55: warning: array subscript is above array bounds [-Warray-bounds]
> stream->writeback_info[j] = stream->writeback_info[i];
> ~~~~~~~~~~~~~~~~~~~~~~^~~
> Add a check to make sure that num_wb_info won't overflowing the writeback_info buffer.
>
> Fixes: 6fbefb84a98e ("drm/amd/display: Add DC core changes for DCN2")
>
> Signed-off-by: Wen Yang <wenyang.linux@...mail.com>
> Cc: Aurabindo Pillai <aurabindo.pillai@....com>
> Cc: Hamza Mahfooz <hamza.mahfooz@....com>
> Cc: Guenter Roeck <linux@...ck-us.net>
> Cc: Alex Deucher <alexander.deucher@....com>
> Cc: Harry Wentland <harry.wentland@....com>
> Cc: Leo Li <sunpeng.li@....com>
> Cc: amd-gfx@...ts.freedesktop.org
> Cc: dri-devel@...ts.freedesktop.org
> Cc: linux-kernel@...r.kernel.org
Applied, thanks!
> ---
> drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
> index 20e534f73513..9825c30f2ca0 100644
> --- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
> +++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
> @@ -481,6 +481,7 @@ bool dc_stream_add_writeback(struct dc *dc,
> }
>
> if (!isDrc) {
> + ASSERT(stream->num_wb_info + 1 <= MAX_DWB_PIPES);
> stream->writeback_info[stream->num_wb_info++] = *wb_info;
> }
>
> @@ -526,6 +527,11 @@ bool dc_stream_remove_writeback(struct dc *dc,
> return false;
> }
>
> + if (stream->num_wb_info > MAX_DWB_PIPES) {
> + dm_error("DC: num_wb_info is invalid!\n");
> + return false;
> + }
> +
> // stream->writeback_info[dwb_pipe_inst].wb_enabled = false;
> for (i = 0; i < stream->num_wb_info; i++) {
> /*dynamic update*/
> @@ -540,7 +546,8 @@ bool dc_stream_remove_writeback(struct dc *dc,
> if (stream->writeback_info[i].wb_enabled) {
> if (j < i)
> /* trim the array */
> - stream->writeback_info[j] = stream->writeback_info[i];
> + memcpy(&stream->writeback_info[j], &stream->writeback_info[i],
> + sizeof(struct dc_writeback_info));
> j++;
> }
> }
--
Hamza
Powered by blists - more mailing lists