* [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
@ 2021-10-27 13:03 Patrik Jakobsson
2021-10-27 13:47 ` Harry Wentland
0 siblings, 1 reply; 4+ messages in thread
From: Patrik Jakobsson @ 2021-10-27 13:03 UTC (permalink / raw)
To: amd-gfx; +Cc: tdwilliamsiv, alexdeucher, Patrik Jakobsson, Patrik Jakobsson
CVE-2021-42327 was fixed by:
commit f23750b5b3d98653b31d4469592935ef6364ad67
Author: Thelford Williams <tdwilliamsiv@gmail.com>
Date: Wed Oct 13 16:04:13 2021 -0400
drm/amdgpu: fix out of bounds write
but amdgpu_dm_debugfs.c contains more of the same issue so fix the
remaining ones.
Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
---
.../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 1a68a674913c..33bdf15febc6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
if (!wr_buf)
return -ENOSPC;
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
if (!wr_buf)
return -ENOSPC;
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
¶m, buf,
max_param_num,
¶m_nums)) {
@@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
@@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
return -ENOSPC;
}
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
2021-10-27 13:03 [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs Patrik Jakobsson
@ 2021-10-27 13:47 ` Harry Wentland
2021-10-27 14:24 ` Harry Wentland
2021-10-27 14:26 ` Patrik Jakobsson
0 siblings, 2 replies; 4+ messages in thread
From: Harry Wentland @ 2021-10-27 13:47 UTC (permalink / raw)
To: Patrik Jakobsson, amd-gfx; +Cc: tdwilliamsiv, alexdeucher, Patrik Jakobsson
On 2021-10-27 09:03, Patrik Jakobsson wrote:
> CVE-2021-42327 was fixed by:
>
> commit f23750b5b3d98653b31d4469592935ef6364ad67
> Author: Thelford Williams <tdwilliamsiv@gmail.com>
> Date: Wed Oct 13 16:04:13 2021 -0400
>
> drm/amdgpu: fix out of bounds write
>
> but amdgpu_dm_debugfs.c contains more of the same issue so fix the
> remaining ones.
>
> Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
> Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
> ---
> .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 1a68a674913c..33bdf15febc6 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> ¶m, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
> return -ENOSPC;
> }
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
>
Thanks. This looks good but you seem to be missing another
instance of this in dp_max_bpc_write.
We'll also want to Linus's suggestion in [1] but I can post
another patch for that.
https://lkml.org/lkml/2021/10/26/993
Harry
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
2021-10-27 13:47 ` Harry Wentland
@ 2021-10-27 14:24 ` Harry Wentland
2021-10-27 14:26 ` Patrik Jakobsson
1 sibling, 0 replies; 4+ messages in thread
From: Harry Wentland @ 2021-10-27 14:24 UTC (permalink / raw)
To: Patrik Jakobsson, amd-gfx; +Cc: tdwilliamsiv, alexdeucher, Patrik Jakobsson
On 2021-10-27 09:47, Harry Wentland wrote:
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
>> CVE-2021-42327 was fixed by:
>>
>> commit f23750b5b3d98653b31d4469592935ef6364ad67
>> Author: Thelford Williams <tdwilliamsiv@gmail.com>
>> Date: Wed Oct 13 16:04:13 2021 -0400
>>
>> drm/amdgpu: fix out of bounds write
>>
>> but amdgpu_dm_debugfs.c contains more of the same issue so fix the
>> remaining ones.
>>
>> Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
>> Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
>> ---
>> .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
>> 1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 1a68a674913c..33bdf15febc6 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> ¶m, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>>
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
>
This patch is
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
I'll send a follow-up for dp_max_bpc_write.
Harry
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993>>
> Harry
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
2021-10-27 13:47 ` Harry Wentland
2021-10-27 14:24 ` Harry Wentland
@ 2021-10-27 14:26 ` Patrik Jakobsson
1 sibling, 0 replies; 4+ messages in thread
From: Patrik Jakobsson @ 2021-10-27 14:26 UTC (permalink / raw)
To: Harry Wentland; +Cc: amd-gfx, tdwilliamsiv, Alex Deucher, Patrik Jakobsson
On Wed, Oct 27, 2021 at 3:47 PM Harry Wentland <harry.wentland@amd.com> wrote:
>
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
> > CVE-2021-42327 was fixed by:
> >
> > commit f23750b5b3d98653b31d4469592935ef6364ad67
> > Author: Thelford Williams <tdwilliamsiv@gmail.com>
> > Date: Wed Oct 13 16:04:13 2021 -0400
> >
> > drm/amdgpu: fix out of bounds write
> >
> > but amdgpu_dm_debugfs.c contains more of the same issue so fix the
> > remaining ones.
> >
> > Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
> > Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
> > ---
> > .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
> > 1 file changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 1a68a674913c..33bdf15febc6 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > ¶m, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> >
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
Oops, will fix in v2
>
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993
>
> Harry
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-27 14:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-27 13:03 [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs Patrik Jakobsson
2021-10-27 13:47 ` Harry Wentland
2021-10-27 14:24 ` Harry Wentland
2021-10-27 14:26 ` Patrik Jakobsson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.