| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b99efcc6-1fdf-2f51-0f65-0bd1cfa2fa90@suse.de>
Date: Fri, 14 Apr 2023 09:28:54 +0200
From: Thomas Zimmermann <tzimmermann@...e.de>
To: Sui Jingfeng <15330273260@....cn>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
David Airlie <airlied@...il.com>, Li Yi <liyi@...ngson.cn>,
Helge Deller <deller@....de>,
Lucas De Marchi <lucas.demarchi@...el.com>,
linux-kernel@...r.kernel.org, linux-fbdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org, loongson-kernel@...ts.loongnix.cn
Subject: Re: [PATCH] drm/fbdev-generic: fix potential out-of-bounds access
Hi
Am 13.04.23 um 22:01 schrieb Daniel Vetter:
> On Thu, Apr 13, 2023 at 09:20:23PM +0200, Thomas Zimmermann wrote:
>> Hi
>>
>> Am 13.04.23 um 20:56 schrieb Daniel Vetter:
>> [...]
>>>
>>> This should switch the existing code over to using drm_framebuffer instead
>>> of fbdev:
>>>
>>>
>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
>>> index ef4eb8b12766..99ca69dd432f 100644
>>> --- a/drivers/gpu/drm/drm_fb_helper.c
>>> +++ b/drivers/gpu/drm/drm_fb_helper.c
>>> @@ -647,22 +647,26 @@ static void drm_fb_helper_damage(struct drm_fb_helper *helper, u32 x, u32 y,
>>> static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, size_t len,
>>> struct drm_rect *clip)
>>> {
>>> + struct drm_fb_helper *helper = info->par;
>>> +
>>> off_t end = off + len;
>>> u32 x1 = 0;
>>> u32 y1 = off / info->fix.line_length;
>>> - u32 x2 = info->var.xres;
>>> - u32 y2 = DIV_ROUND_UP(end, info->fix.line_length);
>>> + u32 x2 = helper->fb->height;
>>> + unsigned stride = helper->fb->pitches[0];
>>> + u32 y2 = DIV_ROUND_UP(end, stride);
>>> + int bpp = drm_format_info_bpp(helper->fb->format, 0);
>>
>> Please DONT do that. The code here is fbdev code and shouldn't bother about
>> DRM data structures. Actually, it shouldn't be here: a number of fbdev
>> drivers with deferred I/O contain similar code and the fbdev module should
>> provide us with a helper. (I think I even had some patches somewhere.)
>
> Well my thinking is that it's a drm driver, so if we have issue with limit
Technically, it's not a driver, but a client.
> checks blowing up it makes more sense to check them against drm limits.
You can still do this in fb_dirty during the actual update.
> Plus a lot more people understand those than fbdev. They should all match
> anyway, or if they dont, we have a bug. The thing is, if you change this
> further to just pass the drm_framebuffer, then this 100% becomes a drm
> function, which could be used by anything in drm really.
The code is only useful to fbdev-generic and a number older of fbdev
drivers. Nothing else uses deferred I/O and the rsp damage handling.
Anything else operates directly on memory buffers. (i915 is a bit
special, but doesn't use this damage handling.) The function really
should not be here.
I'd push back on additional DRM code with fbdev deferred I/O. Drivers'
fbdev should either operate directly on GEM buffers; or the driver
should employ fbdev-generic.
Best regards
Thomas
>
> But also *shrug*.
> -Daniel
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev
Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists