lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <SN1PR12MB2445380EECE2FAEEF81C5758F5FD9@SN1PR12MB2445.namprd12.prod.outlook.com>
Date:   Thu, 12 Jan 2023 06:42:09 +0000
From:   "Liu, HaoPing (Alan)" <HaoPing.Liu@....com>
To:     "Mahfooz, Hamza" <Hamza.Mahfooz@....com>,
        "amd-gfx@...ts.freedesktop.org" <amd-gfx@...ts.freedesktop.org>
CC:     "Wentland, Harry" <Harry.Wentland@....com>,
        "Li, Sun peng (Leo)" <Sunpeng.Li@....com>,
        "Siqueira, Rodrigo" <Rodrigo.Siqueira@....com>,
        "Deucher, Alexander" <Alexander.Deucher@....com>,
        "Koenig, Christian" <Christian.Koenig@....com>,
        "Pan, Xinhui" <Xinhui.Pan@....com>,
        David Airlie <airlied@...il.com>,
        Daniel Vetter <daniel@...ll.ch>,
        "Lin, Wayne" <Wayne.Lin@....com>,
        "Pillai, Aurabindo" <Aurabindo.Pillai@....com>,
        "Li, Roman" <Roman.Li@....com>, "Wu, Hersen" <hersenxs.wu@....com>,
        "Zuo, Jerry" <Jerry.Zuo@....com>,
        "Dhillon, Jasdeep" <Jasdeep.Dhillon@....com>,
        "Liu, Aaron" <Aaron.Liu@....com>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] drm/amd/display: fix possible buffer overflow relating to
 secure display

[AMD Official Use Only - General]

Reviewed-by: Alan Liu <HaoPing.Liu@....com>

Thanks,
Alan

-----Original Message-----
From: Mahfooz, Hamza <Hamza.Mahfooz@....com> 
Sent: Thursday, January 12, 2023 2:17 AM
To: amd-gfx@...ts.freedesktop.org
Cc: Mahfooz, Hamza <Hamza.Mahfooz@....com>; Wentland, Harry <Harry.Wentland@....com>; Li, Sun peng (Leo) <Sunpeng.Li@....com>; Siqueira, Rodrigo <Rodrigo.Siqueira@....com>; Deucher, Alexander <Alexander.Deucher@....com>; Koenig, Christian <Christian.Koenig@....com>; Pan, Xinhui <Xinhui.Pan@....com>; David Airlie <airlied@...il.com>; Daniel Vetter <daniel@...ll.ch>; Lin, Wayne <Wayne.Lin@....com>; Pillai, Aurabindo <Aurabindo.Pillai@....com>; Li, Roman <Roman.Li@....com>; Wu, Hersen <hersenxs.wu@....com>; Zuo, Jerry <Jerry.Zuo@....com>; Liu, HaoPing (Alan) <HaoPing.Liu@....com>; Dhillon, Jasdeep <Jasdeep.Dhillon@....com>; Liu, Aaron <Aaron.Liu@....com>; dri-devel@...ts.freedesktop.org; linux-kernel@...r.kernel.org
Subject: [PATCH] drm/amd/display: fix possible buffer overflow relating to secure display

It is possible that adev->dm.dc->caps.max_links is greater than AMDGPU_MAX_CRTCS. So, to not potentially access unallocated memory use
adev->mode_info.num_crtc to do the bounds check instead of 
adev->dm.dc->caps.max_links.

Fixes: 278b2b5ba2f2 ("drm/amd/display: Implement multiple secure display")
Fixes: 65a2fbe75cd5 ("drm/amd/display: Fix when disabling secure_display")
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@....com>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c     | 2 +-
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index b4d60eedbcbf..86a268cc4b21 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1742,7 +1742,7 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
 
 #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
 	if (adev->dm.secure_display_ctxs) {
-		for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+		for (i = 0; i < adev->mode_info.num_crtc; i++) {
 			if (adev->dm.secure_display_ctxs[i].crtc) {
 				flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
 				flush_work(&adev->dm.secure_display_ctxs[i].forward_roi_work);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
index 8841c447d0e2..8873ecada27c 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
@@ -223,7 +223,7 @@ int amdgpu_dm_crtc_configure_crc_source(struct drm_crtc *crtc,  #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
 		/* Disable secure_display if it was enabled */
 		if (!enable) {
-			for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+			for (i = 0; i < adev->mode_info.num_crtc; i++) {
 				if (adev->dm.secure_display_ctxs[i].crtc == crtc) {
 					/* stop ROI update on this crtc */
 					flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
@@ -544,12 +544,14 @@ amdgpu_dm_crtc_secure_display_create_contexts(struct amdgpu_device *adev)
 	struct secure_display_context *secure_display_ctxs = NULL;
 	int i;
 
-	secure_display_ctxs = kcalloc(AMDGPU_MAX_CRTCS, sizeof(struct secure_display_context), GFP_KERNEL);
+	secure_display_ctxs = kcalloc(adev->mode_info.num_crtc,
+				      sizeof(struct secure_display_context),
+				      GFP_KERNEL);
 
 	if (!secure_display_ctxs)
 		return NULL;
 
-	for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+	for (i = 0; i < adev->mode_info.num_crtc; i++) {
 		INIT_WORK(&secure_display_ctxs[i].forward_roi_work, amdgpu_dm_forward_crc_window);
 		INIT_WORK(&secure_display_ctxs[i].notify_ta_work, amdgpu_dm_crtc_notify_ta_to_read);
 		secure_display_ctxs[i].crtc = &adev->mode_info.crtcs[i]->base;
--
2.38.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ