lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f13b0ddd-747f-432d-bab2-5b63bb830f89@suse.de>
Date: Tue, 6 Jan 2026 08:24:54 +0100
From: Thomas Zimmermann <tzimmermann@...e.de>
To: Dmitry Baryshkov <dmitry.baryshkov@....qualcomm.com>,
 Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
 Maxime Ripard <mripard@...nel.org>, David Airlie <airlied@...il.com>,
 Simona Vetter <simona@...ll.ch>, Harry Wentland <harry.wentland@....com>,
 Leo Li <sunpeng.li@....com>, Rodrigo Siqueira <siqueira@...lia.com>,
 Alex Deucher <alexander.deucher@....com>,
 Christian König <christian.koenig@....com>
Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
 amd-gfx@...ts.freedesktop.org
Subject: Re: [PATCH v3 2/3] drm/atomic: add max_size check to
 drm_property_replace_blob_from_id()



Am 06.01.26 um 04:09 schrieb Dmitry Baryshkov:
> The function drm_property_replace_blob_from_id() allows checking whether
> the blob size is equal to a predefined value. In case of variable-size
> properties (like the gamma / degamma LUTs) we might want to check for
> the blob size against the maximum, allowing properties of the size
> lesser than the max supported by the hardware. Extend the function in
> order to support such checks.
>
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@....qualcomm.com>

Reviewed-by: Thomas Zimmermann <tzimmermann@...e.de>

> ---
>   .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c    | 18 +++++++++---------
>   drivers/gpu/drm/drm_atomic_uapi.c                      | 14 ++++++--------
>   drivers/gpu/drm/drm_property.c                         | 11 +++++++++++
>   include/drm/drm_property.h                             |  1 +
>   4 files changed, 27 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> index 2e3ee78999d9..8c5912b59e19 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> @@ -1676,8 +1676,8 @@ dm_atomic_plane_set_property(struct drm_plane *plane,
>   	if (property == adev->mode_info.plane_degamma_lut_property) {
>   		ret = drm_property_replace_blob_from_id(plane->dev,
>   							&dm_plane_state->degamma_lut,
> -							val, -1,
> -							sizeof(struct drm_color_lut),
> +							val,
> +							-1, -1, sizeof(struct drm_color_lut),
>   							&replaced);
>   		dm_plane_state->base.color_mgmt_changed |= replaced;
>   		return ret;
> @@ -1695,15 +1695,15 @@ dm_atomic_plane_set_property(struct drm_plane *plane,
>   		ret = drm_property_replace_blob_from_id(plane->dev,
>   							&dm_plane_state->ctm,
>   							val,
> -							sizeof(struct drm_color_ctm_3x4), -1,
> +							-1, sizeof(struct drm_color_ctm_3x4), -1,
>   							&replaced);
>   		dm_plane_state->base.color_mgmt_changed |= replaced;
>   		return ret;
>   	} else if (property == adev->mode_info.plane_shaper_lut_property) {
>   		ret = drm_property_replace_blob_from_id(plane->dev,
>   							&dm_plane_state->shaper_lut,
> -							val, -1,
> -							sizeof(struct drm_color_lut),
> +							val,
> +							-1, -1, sizeof(struct drm_color_lut),
>   							&replaced);
>   		dm_plane_state->base.color_mgmt_changed |= replaced;
>   		return ret;
> @@ -1715,16 +1715,16 @@ dm_atomic_plane_set_property(struct drm_plane *plane,
>   	} else if (property == adev->mode_info.plane_lut3d_property) {
>   		ret = drm_property_replace_blob_from_id(plane->dev,
>   							&dm_plane_state->lut3d,
> -							val, -1,
> -							sizeof(struct drm_color_lut),
> +							val,
> +							-1, -1, sizeof(struct drm_color_lut),
>   							&replaced);
>   		dm_plane_state->base.color_mgmt_changed |= replaced;
>   		return ret;
>   	} else if (property == adev->mode_info.plane_blend_lut_property) {
>   		ret = drm_property_replace_blob_from_id(plane->dev,
>   							&dm_plane_state->blend_lut,
> -							val, -1,
> -							sizeof(struct drm_color_lut),
> +							val,
> +							-1, -1, sizeof(struct drm_color_lut),
>   							&replaced);
>   		dm_plane_state->base.color_mgmt_changed |= replaced;
>   		return ret;
> diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c
> index 7320db4b8489..dff1fdefcbeb 100644
> --- a/drivers/gpu/drm/drm_atomic_uapi.c
> +++ b/drivers/gpu/drm/drm_atomic_uapi.c
> @@ -416,7 +416,7 @@ static int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
>   		ret = drm_property_replace_blob_from_id(dev,
>   					&state->degamma_lut,
>   					val,
> -					-1, sizeof(struct drm_color_lut),
> +					-1, -1, sizeof(struct drm_color_lut),
>   					&replaced);
>   		state->color_mgmt_changed |= replaced;
>   		return ret;
> @@ -424,7 +424,7 @@ static int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
>   		ret = drm_property_replace_blob_from_id(dev,
>   					&state->ctm,
>   					val,
> -					sizeof(struct drm_color_ctm), -1,
> +					-1, sizeof(struct drm_color_ctm), -1,
>   					&replaced);
>   		state->color_mgmt_changed |= replaced;
>   		return ret;
> @@ -432,7 +432,7 @@ static int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
>   		ret = drm_property_replace_blob_from_id(dev,
>   					&state->gamma_lut,
>   					val,
> -					-1, sizeof(struct drm_color_lut),
> +					-1, -1, sizeof(struct drm_color_lut),
>   					&replaced);
>   		state->color_mgmt_changed |= replaced;
>   		return ret;
> @@ -587,8 +587,7 @@ static int drm_atomic_plane_set_property(struct drm_plane *plane,
>   		ret = drm_property_replace_blob_from_id(dev,
>   					&state->fb_damage_clips,
>   					val,
> -					-1,
> -					sizeof(struct drm_mode_rect),
> +					-1, -1, sizeof(struct drm_mode_rect),
>   					&replaced);
>   		return ret;
>   	} else if (property == plane->scaling_filter_property) {
> @@ -717,8 +716,7 @@ static int drm_atomic_color_set_data_property(struct drm_colorop *colorop,
>   	return drm_property_replace_blob_from_id(colorop->dev,
>   						 &state->data,
>   						 val,
> -						 size,
> -						 elem_size,
> +						 -1, size, elem_size,
>   						 &replaced);
>   }
>   
> @@ -876,7 +874,7 @@ static int drm_atomic_connector_set_property(struct drm_connector *connector,
>   		ret = drm_property_replace_blob_from_id(dev,
>   				&state->hdr_output_metadata,
>   				val,
> -				sizeof(struct hdr_output_metadata), -1,
> +				-1, sizeof(struct hdr_output_metadata), -1,
>   				&replaced);
>   		return ret;
>   	} else if (property == config->aspect_ratio_property) {
> diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
> index 596272149a35..955fa960843b 100644
> --- a/drivers/gpu/drm/drm_property.c
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -757,6 +757,7 @@ EXPORT_SYMBOL(drm_property_replace_blob);
>    * @dev: DRM device
>    * @blob: a pointer to the member blob to be replaced
>    * @blob_id: the id of the new blob to replace with
> + * @max_size: the maximum size of the blob property for variable-size blobs
>    * @expected_size: expected size of the blob property
>    * @expected_elem_size: expected size of an element in the blob property
>    * @replaced: if the blob was in fact replaced
> @@ -771,6 +772,7 @@ EXPORT_SYMBOL(drm_property_replace_blob);
>   int drm_property_replace_blob_from_id(struct drm_device *dev,
>   					 struct drm_property_blob **blob,
>   					 uint64_t blob_id,
> +					 ssize_t max_size,
>   					 ssize_t expected_size,
>   					 ssize_t expected_elem_size,
>   					 bool *replaced)
> @@ -785,6 +787,15 @@ int drm_property_replace_blob_from_id(struct drm_device *dev,
>   			return -EINVAL;
>   		}
>   
> +		if (max_size > 0 &&
> +		    new_blob->length > max_size) {
> +			drm_dbg_atomic(dev,
> +				       "[BLOB:%d] length %zu greater than max %zu\n",
> +				       new_blob->base.id, new_blob->length, max_size);
> +			drm_property_blob_put(new_blob);
> +			return -EINVAL;
> +		}
> +
>   		if (expected_size > 0 &&
>   		    new_blob->length != expected_size) {
>   			drm_dbg_atomic(dev,
> diff --git a/include/drm/drm_property.h b/include/drm/drm_property.h
> index 082f29156b3e..aa49b5a42bb5 100644
> --- a/include/drm/drm_property.h
> +++ b/include/drm/drm_property.h
> @@ -284,6 +284,7 @@ int drm_property_replace_blob_from_id(struct drm_device *dev,
>   				      uint64_t blob_id,
>   				      ssize_t expected_size,
>   				      ssize_t expected_elem_size,
> +				      ssize_t max_size,
>   				      bool *replaced);
>   int drm_property_replace_global_blob(struct drm_device *dev,
>   				     struct drm_property_blob **replace,
>

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ