From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
To: Harry Wentland <harry.wentland@amd.com>
Cc: amd-gfx@lists.freedesktop.org, tdwilliamsiv@gmail.com,
Alex Deucher <alexdeucher@gmail.com>,
Patrik Jakobsson <pjakobsson@suse.de>
Subject: Re: [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
Date: Wed, 27 Oct 2021 16:26:46 +0200 [thread overview]
Message-ID: <CAMeQTsai8OCjnRQeAMZTKo4DFvGqUPF1__PFxzOzi24iXRMOTg@mail.gmail.com> (raw)
In-Reply-To: <c0744024-bd4c-3849-d218-053377c28b44@amd.com>
On Wed, Oct 27, 2021 at 3:47 PM Harry Wentland <harry.wentland@amd.com> wrote:
>
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
> > CVE-2021-42327 was fixed by:
> >
> > commit f23750b5b3d98653b31d4469592935ef6364ad67
> > Author: Thelford Williams <tdwilliamsiv@gmail.com>
> > Date: Wed Oct 13 16:04:13 2021 -0400
> >
> > drm/amdgpu: fix out of bounds write
> >
> > but amdgpu_dm_debugfs.c contains more of the same issue so fix the
> > remaining ones.
> >
> > Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
> > Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
> > ---
> > .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
> > 1 file changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 1a68a674913c..33bdf15febc6 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > ¶m, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> >
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
Oops, will fix in v2
>
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993
>
> Harry
>
prev parent reply other threads:[~2021-10-27 14:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 13:03 [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs Patrik Jakobsson
2021-10-27 13:47 ` Harry Wentland
2021-10-27 14:24 ` Harry Wentland
2021-10-27 14:26 ` Patrik Jakobsson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMeQTsai8OCjnRQeAMZTKo4DFvGqUPF1__PFxzOzi24iXRMOTg@mail.gmail.com \
--to=patrik.r.jakobsson@gmail.com \
--cc=alexdeucher@gmail.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=pjakobsson@suse.de \
--cc=tdwilliamsiv@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.