* [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
@ 2021-10-11 20:21 docfate111
2021-10-11 20:24 ` Fwd: " T. Williams
0 siblings, 1 reply; 5+ messages in thread
From: docfate111 @ 2021-10-11 20:21 UTC (permalink / raw)
To: dri-devel; +Cc: harry.wentland, sunpeng.li
Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
if (!wr_buf)
return -ENOSPC;
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111
@ 2021-10-11 20:24 ` T. Williams
2021-10-12 7:18 ` Christian König
0 siblings, 1 reply; 5+ messages in thread
From: T. Williams @ 2021-10-11 20:24 UTC (permalink / raw)
To: airlied, daniel, Wayne.Lin, mikita.lipski, Nicholas.Kazlauskas,
stylon.wang, eryk.brol, Jerry.Zuo, victorchengchi.lu,
aurabindo.pillai, nirmoy.das, Anson.Jacob, amd-gfx
[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]
---------- Forwarded message ---------
From: docfate111 <tdwilliamsiv@gmail.com>
Date: Mon, Oct 11, 2021 at 4:22 PM
Subject: [PATCH] Size can be any value and is user controlled resulting in
overwriting the 40 byte array wr_buf with an arbitrary length of data from
buf.
To: <dri-devel@lists.freedesktop.org>
Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>
Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
const char __user *buf,
if (!wr_buf)
return -ENOSPC;
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
--
2.25.1
--
Thank you for your time,
Thelford Williams
[-- Attachment #2: Type: text/html, Size: 2145 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
2021-10-11 20:24 ` Fwd: " T. Williams
@ 2021-10-12 7:18 ` Christian König
2021-10-12 20:41 ` T. Williams
0 siblings, 1 reply; 5+ messages in thread
From: Christian König @ 2021-10-12 7:18 UTC (permalink / raw)
To: T. Williams, airlied, daniel, Wayne.Lin, mikita.lipski,
Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo,
victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob,
amd-gfx
[-- Attachment #1: Type: text/plain, Size: 2115 bytes --]
Am 11.10.21 um 22:24 schrieb T. Williams:
>
>
> ---------- Forwarded message ---------
> From: *docfate111* <tdwilliamsiv@gmail.com
> <mailto:tdwilliamsiv@gmail.com>>
> Date: Mon, Oct 11, 2021 at 4:22 PM
> Subject: [PATCH] Size can be any value and is user controlled
> resulting in overwriting the 40 byte array wr_buf with an arbitrary
> length of data from buf.
> To: <dri-devel@lists.freedesktop.org
> <mailto:dri-devel@lists.freedesktop.org>>
> Cc: <harry.wentland@amd.com <mailto:harry.wentland@amd.com>>,
> <sunpeng.li@amd.com <mailto:sunpeng.li@amd.com>>
>
>
> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com
> <mailto:tdwilliamsiv@gmail.com>>
While the find might be correct there are a couple of style problems
with the patch.
First of all the subject line must be shorter and should be something
like "drm/amdgpu: fix out of bounds write".
The detailed description of the bug then comes into the commit message.
And finally please use your real name for the Signed-off-by line.
Apart from that good catch,
Christian.
> ---
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file
> *f, const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> --
> 2.25.1
>
>
>
> --
> Thank you for your time,
> Thelford Williams
[-- Attachment #2: Type: text/html, Size: 4004 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
2021-10-12 7:18 ` Christian König
@ 2021-10-12 20:41 ` T. Williams
2021-10-12 20:56 ` Alex Deucher
0 siblings, 1 reply; 5+ messages in thread
From: T. Williams @ 2021-10-12 20:41 UTC (permalink / raw)
To: Christian König
Cc: airlied, Daniel Vetter, Wayne.Lin, mikita.lipski,
Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo,
victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob,
amd-gfx
[-- Attachment #1: Type: text/plain, Size: 2471 bytes --]
Should I resubmit the patch email with correct formatting? MITRE assigned
this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability
reports? Do I need to email someone else or something(sorry for dumb
questions this is my first time doing this and I don't know what to do)?
I am trying to do step 11 from here:
https://cve.mitre.org/cve/researcher_reservation_guidelines.
On Tue, Oct 12, 2021 at 3:18 AM Christian König <
ckoenig.leichtzumerken@gmail.com> wrote:
> Am 11.10.21 um 22:24 schrieb T. Williams:
>
>
>
> ---------- Forwarded message ---------
> From: docfate111 <tdwilliamsiv@gmail.com>
> Date: Mon, Oct 11, 2021 at 4:22 PM
> Subject: [PATCH] Size can be any value and is user controlled resulting in
> overwriting the 40 byte array wr_buf with an arbitrary length of data from
> buf.
> To: <dri-devel@lists.freedesktop.org>
> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>
>
>
> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
>
>
> While the find might be correct there are a couple of style problems with
> the patch.
>
> First of all the subject line must be shorter and should be something like
> "drm/amdgpu: fix out of bounds write".
>
> The detailed description of the bug then comes into the commit message.
>
> And finally please use your real name for the Signed-off-by line.
>
> Apart from that good catch,
> Christian.
>
> ---
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> --
> 2.25.1
>
>
>
> --
> Thank you for your time,
> Thelford Williams
>
>
>
--
Thank you for your time,
Thelford Williams
[-- Attachment #2: Type: text/html, Size: 4599 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
2021-10-12 20:41 ` T. Williams
@ 2021-10-12 20:56 ` Alex Deucher
0 siblings, 0 replies; 5+ messages in thread
From: Alex Deucher @ 2021-10-12 20:56 UTC (permalink / raw)
To: T. Williams
Cc: Christian König, Dave Airlie, Daniel Vetter, Wayne Lin,
Lipski, Mikita, Kazlauskas, Nicholas, Stylon Wang, Eryk Brol,
Jerry Zuo, Victor Lu, Aurabindo Pillai, Nirmoy Das, Anson Jacob,
amd-gfx list
On Tue, Oct 12, 2021 at 4:45 PM T. Williams <tdwilliamsiv@gmail.com> wrote:
>
> Should I resubmit the patch email with correct formatting? MITRE assigned this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability reports? Do I need to email someone else or something(sorry for dumb questions this is my first time doing this and I don't know what to do)?
> I am trying to do step 11 from here: https://cve.mitre.org/cve/researcher_reservation_guidelines.
Just resend the fixed up patch using git-send-email and we'll apply it.
Alex
>
> On Tue, Oct 12, 2021 at 3:18 AM Christian König <ckoenig.leichtzumerken@gmail.com> wrote:
>>
>> Am 11.10.21 um 22:24 schrieb T. Williams:
>>
>>
>>
>> ---------- Forwarded message ---------
>> From: docfate111 <tdwilliamsiv@gmail.com>
>> Date: Mon, Oct 11, 2021 at 4:22 PM
>> Subject: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
>> To: <dri-devel@lists.freedesktop.org>
>> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com>
>>
>>
>> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com>
>>
>>
>> While the find might be correct there are a couple of style problems with the patch.
>>
>> First of all the subject line must be shorter and should be something like "drm/amdgpu: fix out of bounds write".
>>
>> The detailed description of the bug then comes into the commit message.
>>
>> And finally please use your real name for the Signed-off-by line.
>>
>> Apart from that good catch,
>> Christian.
>>
>> ---
>> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 87daa78a32b8..17f2756a64dc 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> --
>> 2.25.1
>>
>>
>>
>> --
>> Thank you for your time,
>> Thelford Williams
>>
>>
>
>
> --
> Thank you for your time,
> Thelford Williams
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-12 20:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111
2021-10-11 20:24 ` Fwd: " T. Williams
2021-10-12 7:18 ` Christian König
2021-10-12 20:41 ` T. Williams
2021-10-12 20:56 ` Alex Deucher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.