From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DFB2C47080 for ; Wed, 2 Jun 2021 02:06:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F3BB7610C9 for ; Wed, 2 Jun 2021 02:06:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229753AbhFBCIK (ORCPT ); Tue, 1 Jun 2021 22:08:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229654AbhFBCIG (ORCPT ); Tue, 1 Jun 2021 22:08:06 -0400 Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44B64C061574 for ; Tue, 1 Jun 2021 19:06:23 -0700 (PDT) Received: by mail-ot1-x32e.google.com with SMTP id t10-20020a05683022eab0290304ed8bc759so1100466otc.12 for ; Tue, 01 Jun 2021 19:06:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=P+CxivsSP2vTyBnLPSJf2UT7S3Vq3UDgbdZmYKTVt14drvzbGjdJeG/9pIdzwmMPV7 J4v6+F13KjldLM5urdVgSSxpyJDvEL7iV4cS3KmurqhIR6Y6EOJPTSS6NFIYqCz7S6g2 nC1Wy0ESwhQmb5uAu2anv8IhUfEeQoJuCETATK/PUf9gd4Ti8/sgsbwEvCezk0dvcPXU jTNEtJbLQwOmLEGTPDOFB0QEGtcWY5ZnebZwEIMYmB4Uesq1t3O/aDSVAW9lIbkNw7QH ZtvsrBEPqPH6HGeXFY1fRr9afwdBSeqCEIu00WQifkpbReliFlcejkEjNC4HnIAnxSxL nhFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=HL55VRLEZjh1qsNAcOcmBUaS8/9Q0tqDjf4nvP/wppbJeEnAgdJILX8mReaMnQiCXd HDE47X5zWVK6uH/2O2uiz6dU4X7bhSwUbsY1Ki8aRUEb0YEzHSM/5LUNTX6tfyIiqBhO IT2QFkcxEcoBKhDEjtVpaIgDdxRpjr/NxaGcA/IOmL8KFTCxDtPSFf6T3N2hPQeduz5J ETHV6hD+iHFoY2gCD/Dkw71k+TZdKS9hUKVpO1T6L6YurvK92A2rd4Ps9hipR23GBWxd cNlQfLloKycpSDAkMZJSUvnXAHQk3RCuH9rGFD3tz0dA4QZ56AhZRI7eepZ7PbCnpmk4 D6uA== X-Gm-Message-State: AOAM53110wgUt53fBy7skLzKu/hPF5NxXcl+W3hZtXjR3vTnBc8cArKd 17Vurri5e1Be+5g1UKTJrIxDW7oYZuuxes3iesI= X-Google-Smtp-Source: ABdhPJz9MyOW+RXyLkak9SmZ4RILzHZIG7xsOaJMyO8H2AOdhEnucej98ktDPPWNnUOAAovWO4h+zDrg9kApmmuFeec= X-Received: by 2002:a9d:57cd:: with SMTP id q13mr24131409oti.23.1622599582693; Tue, 01 Jun 2021 19:06:22 -0700 (PDT) MIME-Version: 1.0 References: <20210528175354.790719-1-keescook@chromium.org> In-Reply-To: <20210528175354.790719-1-keescook@chromium.org> From: Alex Deucher Date: Tue, 1 Jun 2021 22:06:11 -0400 Message-ID: Subject: Re: [PATCH] drm/amd/display: Avoid HDCP over-read and corruption To: Kees Cook Cc: Alex Deucher , Martin Tsai , Leo Li , LKML , Wenjing Liu , Anson Jacob , amd-gfx list , Nicholas Kazlauskas , David Airlie , Daniel Wheeler , Maling list - DRI developers , =?UTF-8?Q?Christian_K=C3=B6nig?= , Bindu Ramamurthy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 28, 2021 at 1:54 PM Kees Cook wrote: > > Instead of reading the desired 5 bytes of the actual target field, > the code was reading 8. This could result in a corrupted value if the > trailing 3 bytes were non-zero, so instead use an appropriately sized > and zero-initialized bounce buffer, and read only 5 bytes before casting > to u64. > > Signed-off-by: Kees Cook Applied. Thanks! > --- > drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > index 2cbd931363bd..6d26d9c63ab2 100644 > --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > @@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) > { > uint64_t n = 0; > uint8_t count = 0; > + u8 bksv[sizeof(n)] = { }; > > - memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); > + memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); > + n = *(uint64_t *)bksv; > > while (n) { > count++; > -- > 2.25.1 > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CED8C4708F for ; Wed, 2 Jun 2021 02:06:25 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C3DE560720 for ; Wed, 2 Jun 2021 02:06:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C3DE560720 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 342616EB4D; Wed, 2 Jun 2021 02:06:24 +0000 (UTC) Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) by gabe.freedesktop.org (Postfix) with ESMTPS id 604176EB49; Wed, 2 Jun 2021 02:06:23 +0000 (UTC) Received: by mail-ot1-x335.google.com with SMTP id h24-20020a9d64180000b029036edcf8f9a6so1160032otl.3; Tue, 01 Jun 2021 19:06:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=P+CxivsSP2vTyBnLPSJf2UT7S3Vq3UDgbdZmYKTVt14drvzbGjdJeG/9pIdzwmMPV7 J4v6+F13KjldLM5urdVgSSxpyJDvEL7iV4cS3KmurqhIR6Y6EOJPTSS6NFIYqCz7S6g2 nC1Wy0ESwhQmb5uAu2anv8IhUfEeQoJuCETATK/PUf9gd4Ti8/sgsbwEvCezk0dvcPXU jTNEtJbLQwOmLEGTPDOFB0QEGtcWY5ZnebZwEIMYmB4Uesq1t3O/aDSVAW9lIbkNw7QH ZtvsrBEPqPH6HGeXFY1fRr9afwdBSeqCEIu00WQifkpbReliFlcejkEjNC4HnIAnxSxL nhFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=FW/tUr/3pMpmqgar2sV9ecf+h5BhLYw5B8StY4qNTUrTkEbqR4sx8ce9rJTDMb8dQo 3/uD9TIrhGK0fmbnpi0IoGNHPAdpG/DXxWuf0YIVEEamYWgVzYpFwF8Vr4azFlzd7Jvh JIZU+3wTTQtpA3MG2Pv211BHf+EI7o8T3MV67GMJe3TXQA3bChpneOXAAlKi/pVK9KU+ 2qekyqfADTl6j89iuFXcURlHQj88wZFS8V1GbNfFalwZ0ACTRSlSwF4Mp9vgheus2Gwh KHjrXvPMFVfoadI/FEAXCQn3Z7urZnLu3Ke7mjnkk3AtQIukdTtERc+//n9jPaiUahAK PpQQ== X-Gm-Message-State: AOAM530XW41KpRXBE3rVsU/i7Gv2ZABNnkU8EByb/5d+onh4xNzAGCGP YAhRCV6ruNZ8XVhF/DHbZuEuQhsQm9XKfTV1kHhq3lnt X-Google-Smtp-Source: ABdhPJz9MyOW+RXyLkak9SmZ4RILzHZIG7xsOaJMyO8H2AOdhEnucej98ktDPPWNnUOAAovWO4h+zDrg9kApmmuFeec= X-Received: by 2002:a9d:57cd:: with SMTP id q13mr24131409oti.23.1622599582693; Tue, 01 Jun 2021 19:06:22 -0700 (PDT) MIME-Version: 1.0 References: <20210528175354.790719-1-keescook@chromium.org> In-Reply-To: <20210528175354.790719-1-keescook@chromium.org> From: Alex Deucher Date: Tue, 1 Jun 2021 22:06:11 -0400 Message-ID: Subject: Re: [PATCH] drm/amd/display: Avoid HDCP over-read and corruption To: Kees Cook Content-Type: text/plain; charset="UTF-8" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Martin Tsai , Leo Li , David Airlie , Wenjing Liu , LKML , amd-gfx list , =?UTF-8?Q?Christian_K=C3=B6nig?= , Anson Jacob , Daniel Wheeler , Maling list - DRI developers , Alex Deucher , Nicholas Kazlauskas , Bindu Ramamurthy Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Fri, May 28, 2021 at 1:54 PM Kees Cook wrote: > > Instead of reading the desired 5 bytes of the actual target field, > the code was reading 8. This could result in a corrupted value if the > trailing 3 bytes were non-zero, so instead use an appropriately sized > and zero-initialized bounce buffer, and read only 5 bytes before casting > to u64. > > Signed-off-by: Kees Cook Applied. Thanks! > --- > drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > index 2cbd931363bd..6d26d9c63ab2 100644 > --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > @@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) > { > uint64_t n = 0; > uint8_t count = 0; > + u8 bksv[sizeof(n)] = { }; > > - memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); > + memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); > + n = *(uint64_t *)bksv; > > while (n) { > count++; > -- > 2.25.1 > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7182EC47080 for ; Wed, 2 Jun 2021 02:06:24 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 347BA60720 for ; Wed, 2 Jun 2021 02:06:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 347BA60720 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=amd-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id F1F426EB49; Wed, 2 Jun 2021 02:06:23 +0000 (UTC) Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) by gabe.freedesktop.org (Postfix) with ESMTPS id 604176EB49; Wed, 2 Jun 2021 02:06:23 +0000 (UTC) Received: by mail-ot1-x335.google.com with SMTP id h24-20020a9d64180000b029036edcf8f9a6so1160032otl.3; Tue, 01 Jun 2021 19:06:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=P+CxivsSP2vTyBnLPSJf2UT7S3Vq3UDgbdZmYKTVt14drvzbGjdJeG/9pIdzwmMPV7 J4v6+F13KjldLM5urdVgSSxpyJDvEL7iV4cS3KmurqhIR6Y6EOJPTSS6NFIYqCz7S6g2 nC1Wy0ESwhQmb5uAu2anv8IhUfEeQoJuCETATK/PUf9gd4Ti8/sgsbwEvCezk0dvcPXU jTNEtJbLQwOmLEGTPDOFB0QEGtcWY5ZnebZwEIMYmB4Uesq1t3O/aDSVAW9lIbkNw7QH ZtvsrBEPqPH6HGeXFY1fRr9afwdBSeqCEIu00WQifkpbReliFlcejkEjNC4HnIAnxSxL nhFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aCCJ1eFEGcaWx0tMGwZOzk/m+ZOCXhNzKCETdM0irhY=; b=FW/tUr/3pMpmqgar2sV9ecf+h5BhLYw5B8StY4qNTUrTkEbqR4sx8ce9rJTDMb8dQo 3/uD9TIrhGK0fmbnpi0IoGNHPAdpG/DXxWuf0YIVEEamYWgVzYpFwF8Vr4azFlzd7Jvh JIZU+3wTTQtpA3MG2Pv211BHf+EI7o8T3MV67GMJe3TXQA3bChpneOXAAlKi/pVK9KU+ 2qekyqfADTl6j89iuFXcURlHQj88wZFS8V1GbNfFalwZ0ACTRSlSwF4Mp9vgheus2Gwh KHjrXvPMFVfoadI/FEAXCQn3Z7urZnLu3Ke7mjnkk3AtQIukdTtERc+//n9jPaiUahAK PpQQ== X-Gm-Message-State: AOAM530XW41KpRXBE3rVsU/i7Gv2ZABNnkU8EByb/5d+onh4xNzAGCGP YAhRCV6ruNZ8XVhF/DHbZuEuQhsQm9XKfTV1kHhq3lnt X-Google-Smtp-Source: ABdhPJz9MyOW+RXyLkak9SmZ4RILzHZIG7xsOaJMyO8H2AOdhEnucej98ktDPPWNnUOAAovWO4h+zDrg9kApmmuFeec= X-Received: by 2002:a9d:57cd:: with SMTP id q13mr24131409oti.23.1622599582693; Tue, 01 Jun 2021 19:06:22 -0700 (PDT) MIME-Version: 1.0 References: <20210528175354.790719-1-keescook@chromium.org> In-Reply-To: <20210528175354.790719-1-keescook@chromium.org> From: Alex Deucher Date: Tue, 1 Jun 2021 22:06:11 -0400 Message-ID: Subject: Re: [PATCH] drm/amd/display: Avoid HDCP over-read and corruption To: Kees Cook X-BeenThere: amd-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion list for AMD gfx List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Martin Tsai , Leo Li , David Airlie , Wenjing Liu , LKML , amd-gfx list , =?UTF-8?Q?Christian_K=C3=B6nig?= , Anson Jacob , Daniel Wheeler , Maling list - DRI developers , Alex Deucher , Nicholas Kazlauskas , Bindu Ramamurthy Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: amd-gfx-bounces@lists.freedesktop.org Sender: "amd-gfx" On Fri, May 28, 2021 at 1:54 PM Kees Cook wrote: > > Instead of reading the desired 5 bytes of the actual target field, > the code was reading 8. This could result in a corrupted value if the > trailing 3 bytes were non-zero, so instead use an appropriately sized > and zero-initialized bounce buffer, and read only 5 bytes before casting > to u64. > > Signed-off-by: Kees Cook Applied. Thanks! > --- > drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > index 2cbd931363bd..6d26d9c63ab2 100644 > --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c > @@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) > { > uint64_t n = 0; > uint8_t count = 0; > + u8 bksv[sizeof(n)] = { }; > > - memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); > + memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); > + n = *(uint64_t *)bksv; > > while (n) { > count++; > -- > 2.25.1 > _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx