lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240331064552.6112-1-m.kobuk@ispras.ru>
Date: Sun, 31 Mar 2024 09:45:51 +0300
From: Mikhail Kobuk <m.kobuk@...ras.ru>
To: Karol Herbst <kherbst@...hat.com>
Cc: Mikhail Kobuk <m.kobuk@...ras.ru>,
	Lyude Paul <lyude@...hat.com>,
	Danilo Krummrich <dakr@...hat.com>,
	David Airlie <airlied@...il.com>,
	Daniel Vetter <daniel@...ll.ch>,
	Ben Skeggs <bskeggs@...hat.com>,
	Francisco Jerez <currojerez@...eup.net>,
	dri-devel@...ts.freedesktop.org,
	nouveau@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org,
	Fedor Pchelkin <pchelkin@...ras.ru>,
	Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: [PATCH] drm: nv04: Add check to avoid out of bounds access

Output Resource (dcb->or) value is not guaranteed to be non-zero (i.e.
in drivers/gpu/drm/nouveau/nouveau_bios.c, in 'fabricate_dcb_encoder_table()'
'dcb->or' is assigned value '0' in call to 'fabricate_dcb_output()').

Add check to validate 'dcb->or' before it's used.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for iMac G4")
Signed-off-by: Mikhail Kobuk <m.kobuk@...ras.ru>
---
 drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c b/drivers/gpu/drm/nouveau/dispnv04/dac.c
index d6b8e0cce2ac..0c8d4fc95ff3 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
@@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder *encoder, bool enable)
 	struct drm_device *dev = encoder->dev;
 	struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
 
-	if (nv_gf4_disp_arch(dev)) {
+	if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
 		uint32_t *dac_users = &nv04_display(dev)->dac_users[ffs(dcb->or) - 1];
 		int dacclk_off = NV_PRAMDAC_DACCLK + nv04_dac_output_offset(encoder);
 		uint32_t dacclk = NVReadRAMDAC(dev, 0, dacclk_off);
@@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder *encoder)
 	struct drm_device *dev = encoder->dev;
 	struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
 
-	return nv_gf4_disp_arch(encoder->dev) &&
+	return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
 		(nv04_display(dev)->dac_users[ffs(dcb->or) - 1] & ~(1 << dcb->index));
 }
 
-- 
2.44.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ