[PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
@ 2021-10-11 20:21 docfate111
  2021-10-11 20:24 ` Fwd: " T. Williams
  0 siblings, 1 reply; 5+ messages in thread
From: docfate111 @ 2021-10-11 20:21 UTC (permalink / raw)
  To: dri-devel; +Cc: harry.wentland, sunpeng.li

Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
 	if (!wr_buf)
 		return -ENOSPC;
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   (long *)param, buf,
 					   max_param_num,
 					   &param_nums)) {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
  2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111
@ 2021-10-11 20:24 ` T. Williams
  2021-10-12  7:18   ` Christian König
  0 siblings, 1 reply; 5+ messages in thread
From: T. Williams @ 2021-10-11 20:24 UTC (permalink / raw)
  To: airlied, daniel, Wayne.Lin, mikita.lipski, Nicholas.Kazlauskas,
	stylon.wang, eryk.brol, Jerry.Zuo, victorchengchi.lu,
	aurabindo.pillai, nirmoy.das, Anson.Jacob, amd-gfx

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

---------- Forwarded message ---------
From: docfate111 <tdwilliamsiv@gmail.com>
Date: Mon, Oct 11, 2021 at 4:22 PM
Subject: [PATCH] Size can be any value and is user controlled resulting in
overwriting the 40 byte array wr_buf with an arbitrary length of data from
buf.
To: <dri-devel@lists.freedesktop.org>
Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>


Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
const char __user *buf,
        if (!wr_buf)
                return -ENOSPC;

-       if (parse_write_buffer_into_params(wr_buf, size,
+       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
                                           (long *)param, buf,
                                           max_param_num,
                                           &param_nums)) {
-- 
2.25.1



-- 
Thank you for your time,
Thelford Williams

[-- Attachment #2: Type: text/html, Size: 2145 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
  2021-10-11 20:24 ` Fwd: " T. Williams
@ 2021-10-12  7:18   ` Christian König
  2021-10-12 20:41     ` T. Williams
  0 siblings, 1 reply; 5+ messages in thread
From: Christian König @ 2021-10-12  7:18 UTC (permalink / raw)
  To: T. Williams, airlied, daniel, Wayne.Lin, mikita.lipski,
	Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo,
	victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob,
	amd-gfx

[-- Attachment #1: Type: text/plain, Size: 2115 bytes --]

Am 11.10.21 um 22:24 schrieb T. Williams:
>
>
> ---------- Forwarded message ---------
> From: *docfate111* <tdwilliamsiv@gmail.com 
> <mailto:tdwilliamsiv@gmail.com>>
> Date: Mon, Oct 11, 2021 at 4:22 PM
> Subject: [PATCH] Size can be any value and is user controlled 
> resulting in overwriting the 40 byte array wr_buf with an arbitrary 
> length of data from buf.
> To: <dri-devel@lists.freedesktop.org 
> <mailto:dri-devel@lists.freedesktop.org>>
> Cc: <harry.wentland@amd.com <mailto:harry.wentland@amd.com>>, 
> <sunpeng.li@amd.com <mailto:sunpeng.li@amd.com>>
>
>
> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com 
> <mailto:tdwilliamsiv@gmail.com>>

While the find might be correct there are a couple of style problems 
with the patch.

First of all the subject line must be shorter and should be something 
like "drm/amdgpu: fix out of bounds write".

The detailed description of the bug then comes into the commit message.

And finally please use your real name for the Signed-off-by line.

Apart from that good catch,
Christian.

> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file 
> *f, const char __user *buf,
>         if (!wr_buf)
>                 return -ENOSPC;
>
> -       if (parse_write_buffer_into_params(wr_buf, size,
> +       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>                                            (long *)param, buf,
>                                            max_param_num,
>                                            &param_nums)) {
> -- 
> 2.25.1
>
>
>
> -- 
> Thank you for your time,
> Thelford Williams


[-- Attachment #2: Type: text/html, Size: 4004 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
  2021-10-12  7:18   ` Christian König
@ 2021-10-12 20:41     ` T. Williams
  2021-10-12 20:56       ` Alex Deucher
  0 siblings, 1 reply; 5+ messages in thread
From: T. Williams @ 2021-10-12 20:41 UTC (permalink / raw)
  To: Christian König
  Cc: airlied, Daniel Vetter, Wayne.Lin, mikita.lipski,
	Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo,
	victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob,
	amd-gfx

[-- Attachment #1: Type: text/plain, Size: 2471 bytes --]

Should I resubmit the patch email with correct formatting? MITRE assigned
this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability
reports? Do I need to email someone else or something(sorry for dumb
questions this is my first time doing this and I don't know what to do)?
I am trying to do step 11 from here:
https://cve.mitre.org/cve/researcher_reservation_guidelines.

On Tue, Oct 12, 2021 at 3:18 AM Christian König <
ckoenig.leichtzumerken@gmail.com> wrote:

> Am 11.10.21 um 22:24 schrieb T. Williams:
>
>
>
> ---------- Forwarded message ---------
> From: docfate111 <tdwilliamsiv@gmail.com>
> Date: Mon, Oct 11, 2021 at 4:22 PM
> Subject: [PATCH] Size can be any value and is user controlled resulting in
> overwriting the 40 byte array wr_buf with an arbitrary length of data from
> buf.
> To: <dri-devel@lists.freedesktop.org>
> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>
>
>
> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
>
>
> While the find might be correct there are a couple of style problems with
> the patch.
>
> First of all the subject line must be shorter and should be something like
> "drm/amdgpu: fix out of bounds write".
>
> The detailed description of the bug then comes into the commit message.
>
> And finally please use your real name for the Signed-off-by line.
>
> Apart from that good catch,
> Christian.
>
> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> const char __user *buf,
>         if (!wr_buf)
>                 return -ENOSPC;
>
> -       if (parse_write_buffer_into_params(wr_buf, size,
> +       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>                                            (long *)param, buf,
>                                            max_param_num,
>                                            &param_nums)) {
> --
> 2.25.1
>
>
>
> --
> Thank you for your time,
> Thelford Williams
>
>
>

-- 
Thank you for your time,
Thelford Williams

[-- Attachment #2: Type: text/html, Size: 4599 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
  2021-10-12 20:41     ` T. Williams
@ 2021-10-12 20:56       ` Alex Deucher
  0 siblings, 0 replies; 5+ messages in thread
From: Alex Deucher @ 2021-10-12 20:56 UTC (permalink / raw)
  To: T. Williams
  Cc: Christian König, Dave Airlie, Daniel Vetter, Wayne Lin,
	Lipski, Mikita, Kazlauskas, Nicholas, Stylon Wang, Eryk Brol,
	Jerry Zuo, Victor Lu, Aurabindo Pillai, Nirmoy Das, Anson Jacob,
	amd-gfx list

On Tue, Oct 12, 2021 at 4:45 PM T. Williams <tdwilliamsiv@gmail.com> wrote:
>
> Should I resubmit the patch email with correct formatting? MITRE assigned this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability reports? Do I need to email someone else or something(sorry for dumb questions this is my first time doing this and I don't know what to do)?
> I am trying to do step 11 from here: https://cve.mitre.org/cve/researcher_reservation_guidelines.

Just resend the fixed up patch using git-send-email and we'll apply it.

Alex

>
> On Tue, Oct 12, 2021 at 3:18 AM Christian König <ckoenig.leichtzumerken@gmail.com> wrote:
>>
>> Am 11.10.21 um 22:24 schrieb T. Williams:
>>
>>
>>
>> ---------- Forwarded message ---------
>> From: docfate111 <tdwilliamsiv@gmail.com>
>> Date: Mon, Oct 11, 2021 at 4:22 PM
>> Subject: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
>> To: <dri-devel@lists.freedesktop.org>
>> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>
>>
>>
>> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
>>
>>
>> While the find might be correct there are a couple of style problems with the patch.
>>
>> First of all the subject line must be shorter and should be something like "drm/amdgpu: fix out of bounds write".
>>
>> The detailed description of the bug then comes into the commit message.
>>
>> And finally please use your real name for the Signed-off-by line.
>>
>> Apart from that good catch,
>> Christian.
>>
>> ---
>>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 87daa78a32b8..17f2756a64dc 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
>>         if (!wr_buf)
>>                 return -ENOSPC;
>>
>> -       if (parse_write_buffer_into_params(wr_buf, size,
>> +       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>>                                            (long *)param, buf,
>>                                            max_param_num,
>>                                            &param_nums)) {
>> --
>> 2.25.1
>>
>>
>>
>> --
>> Thank you for your time,
>> Thelford Williams
>>
>>
>
>
> --
> Thank you for your time,
> Thelford Williams

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-10-12 20:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111
2021-10-11 20:24 ` Fwd: " T. Williams
2021-10-12  7:18   ` Christian König
2021-10-12 20:41     ` T. Williams
2021-10-12 20:56       ` Alex Deucher

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.