From: Daniel Vetter <daniel@ffwll.ch>
To: Dave Airlie <airlied@gmail.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/dp/mst: zero out i2c read msg before sending
Date: Wed, 14 Oct 2015 10:01:06 +0200 [thread overview]
Message-ID: <20151014080106.GW26718@phenom.ffwll.local> (raw)
In-Reply-To: <1444802840-23654-1-git-send-email-airlied@gmail.com>
On Wed, Oct 14, 2015 at 04:07:20PM +1000, Dave Airlie wrote:
> From: Dave Airlie <airlied@redhat.com>
>
> This avoids some of the fields being random garbage.
>
> found this while debugging some other pain.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Dave Airlie <airlied@redhat.com>
Sligthly more serious is that we have a hardcoded limit on the number of
i2c transactions we accept of 4 and we never check that anywhere. And
that's supplied by userspace through i2c-dev nodes potentially and a few
lines below we just loop over that array.
Ofc the mst_i2c_xfer isn't really compliant in general since it doesn't
process any kind of i2c transactions but only those that drm_edid feeds it
(more or less). But that's another topic, but checking num < 4 is an easy
buffer overflow.
With that addressed too this is Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cheers, Daniel
> ---
> drivers/gpu/drm/drm_dp_mst_topology.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
> index ac3c273..2e4f8a3 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -2627,6 +2627,7 @@ static int drm_dp_mst_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs
> goto out;
> }
>
> + memset(&msg, 0, sizeof(msg));
> msg.req_type = DP_REMOTE_I2C_READ;
> msg.u.i2c_read.num_transactions = num - 1;
> msg.u.i2c_read.port_number = port->port_num;
> --
> 2.4.3
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
prev parent reply other threads:[~2015-10-14 7:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-14 6:07 [PATCH] drm/dp/mst: zero out i2c read msg before sending Dave Airlie
2015-10-14 8:01 ` Daniel Vetter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151014080106.GW26718@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.