From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Keeping Subject: Re: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf Date: Mon, 30 Jan 2017 18:16:36 +0000 Message-ID: <20170130181636.1bc81e86.john@metanate.com> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <20170130180146.GG20076@art_vandelay> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Sean Paul Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-rockchip@lists.infradead.org, Chris Zhong , linux-arm-kernel@lists.infradead.org List-Id: linux-rockchip.vger.kernel.org T24gTW9uLCAzMCBKYW4gMjAxNyAxMzowMTo0NiAtMDUwMCwgU2VhbiBQYXVsIHdyb3RlOgoKPiBP biBTdW4sIEphbiAyOSwgMjAxNyBhdCAwMToyNDoyNlBNICswMDAwLCBKb2huIEtlZXBpbmcgd3Jv dGU6Cj4gPiBBcyBhIHNpZGUtZWZmZWN0IG9mIHRoaXMsIGVuY29kZSB0aGUgZW5kaWFubmVzcyBl eHBsaWNpdGx5IHJhdGhlciB0aGFuCj4gPiBjYXN0aW5nIGEgdTE2Lgo+ID4gCj4gPiBTaWduZWQt b2ZmLWJ5OiBKb2huIEtlZXBpbmcgPGpvaG5AbWV0YW5hdGUuY29tPgo+ID4gUmV2aWV3ZWQtYnk6 IENocmlzIFpob25nIDx6eXdAcm9jay1jaGlwcy5jb20+Cj4gPiAtLS0KPiA+IHYzOgo+ID4gLSBB ZGQgQ2hyaXMnIFJldmlld2VkLWJ5Cj4gPiBVbmNoYW5nZWQgaW4gdjIKPiA+IAo+ID4gIGRyaXZl cnMvZ3B1L2RybS9yb2NrY2hpcC9kdy1taXBpLWRzaS5jIHwgOSArKysrKysrLS0KPiA+ICAxIGZp bGUgY2hhbmdlZCwgNyBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQo+ID4gCj4gPiBkaWZm IC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL3JvY2tjaGlwL2R3LW1pcGktZHNpLmMgYi9kcml2ZXJz L2dwdS9kcm0vcm9ja2NoaXAvZHctbWlwaS1kc2kuYwo+ID4gaW5kZXggNGJlMWZmM2E0MmJiLi4y ZTZhZDQ1OTFlYmYgMTAwNjQ0Cj4gPiAtLS0gYS9kcml2ZXJzL2dwdS9kcm0vcm9ja2NoaXAvZHct bWlwaS1kc2kuYwo+ID4gKysrIGIvZHJpdmVycy9ncHUvZHJtL3JvY2tjaGlwL2R3LW1pcGktZHNp LmMKPiA+IEBAIC01NzIsOCArNTcyLDEzIEBAIHN0YXRpYyBpbnQgZHdfbWlwaV9kc2lfZ2VuX3Br dF9oZHJfd3JpdGUoc3RydWN0IGR3X21pcGlfZHNpICpkc2ksIHUzMiBoZHJfdmFsKQo+ID4gIHN0 YXRpYyBpbnQgZHdfbWlwaV9kc2lfZGNzX3Nob3J0X3dyaXRlKHN0cnVjdCBkd19taXBpX2RzaSAq ZHNpLAo+ID4gIAkJCQkgICAgICAgY29uc3Qgc3RydWN0IG1pcGlfZHNpX21zZyAqbXNnKQo+ID4g IHsKPiA+IC0JY29uc3QgdTE2ICp0eF9idWYgPSBtc2ctPnR4X2J1ZjsKPiA+IC0JdTMyIHZhbCA9 IEdFTl9IREFUQSgqdHhfYnVmKSB8IEdFTl9IVFlQRShtc2ctPnR5cGUpOwo+ID4gKwljb25zdCB1 OCAqdHhfYnVmID0gbXNnLT50eF9idWY7Cj4gPiArCXUzMiB2YWwgPSBHRU5fSFRZUEUobXNnLT50 eXBlKTsKPiA+ICsKPiA+ICsJaWYgKG1zZy0+dHhfbGVuID4gMCkKPiA+ICsJCXZhbCB8PSBHRU5f SERBVEEodHhfYnVmWzBdKTsKPiA+ICsJaWYgKG1zZy0+dHhfbGVuID4gMSkKPiA+ICsJCXZhbCB8 PSBHRU5fSERBVEEodHhfYnVmWzFdIDw8IDgpOyAgCj4gCj4gWW91IHNob3VsZCBwcm9iYWJseSB1 cGRhdGUgdGhlIG1hc2sgaW5zaWRlIEdFTl9IREFUQSB0byBtYXNrIG9mZiA4IGJpdHMgaW5zdGVh ZCBvZgo+IDE2LgoKV29uJ3QgdGhhdCBtYXNrIG9mZiB0aGUgZGF0YSB3cml0dGVuIGJ5ICJ0eF9i dWZbMV0gPDwgOCI/Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9y ZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZl bAo= From mboxrd@z Thu Jan 1 00:00:00 1970 From: john@metanate.com (John Keeping) Date: Mon, 30 Jan 2017 18:16:36 +0000 Subject: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf In-Reply-To: <20170130180146.GG20076@art_vandelay> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> Message-ID: <20170130181636.1bc81e86.john@metanate.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Mon, 30 Jan 2017 13:01:46 -0500, Sean Paul wrote: > On Sun, Jan 29, 2017 at 01:24:26PM +0000, John Keeping wrote: > > As a side-effect of this, encode the endianness explicitly rather than > > casting a u16. > > > > Signed-off-by: John Keeping > > Reviewed-by: Chris Zhong > > --- > > v3: > > - Add Chris' Reviewed-by > > Unchanged in v2 > > > > drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 9 +++++++-- > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > index 4be1ff3a42bb..2e6ad4591ebf 100644 > > --- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > +++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > @@ -572,8 +572,13 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val) > > static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi, > > const struct mipi_dsi_msg *msg) > > { > > - const u16 *tx_buf = msg->tx_buf; > > - u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type); > > + const u8 *tx_buf = msg->tx_buf; > > + u32 val = GEN_HTYPE(msg->type); > > + > > + if (msg->tx_len > 0) > > + val |= GEN_HDATA(tx_buf[0]); > > + if (msg->tx_len > 1) > > + val |= GEN_HDATA(tx_buf[1] << 8); > > You should probably update the mask inside GEN_HDATA to mask off 8 bits instead of > 16. Won't that mask off the data written by "tx_buf[1] << 8"? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753962AbdA3SQu (ORCPT ); Mon, 30 Jan 2017 13:16:50 -0500 Received: from dougal.metanate.com ([90.155.101.14]:30387 "EHLO metanate.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753921AbdA3SQt (ORCPT ); Mon, 30 Jan 2017 13:16:49 -0500 Date: Mon, 30 Jan 2017 18:16:36 +0000 From: John Keeping To: Sean Paul Cc: Mark Yao , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-rockchip@lists.infradead.org, Chris Zhong , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf Message-ID: <20170130181636.1bc81e86.john@metanate.com> In-Reply-To: <20170130180146.GG20076@art_vandelay> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> Organization: Metanate Ltd X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 30 Jan 2017 13:01:46 -0500, Sean Paul wrote: > On Sun, Jan 29, 2017 at 01:24:26PM +0000, John Keeping wrote: > > As a side-effect of this, encode the endianness explicitly rather than > > casting a u16. > > > > Signed-off-by: John Keeping > > Reviewed-by: Chris Zhong > > --- > > v3: > > - Add Chris' Reviewed-by > > Unchanged in v2 > > > > drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 9 +++++++-- > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > index 4be1ff3a42bb..2e6ad4591ebf 100644 > > --- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > +++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > @@ -572,8 +572,13 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val) > > static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi, > > const struct mipi_dsi_msg *msg) > > { > > - const u16 *tx_buf = msg->tx_buf; > > - u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type); > > + const u8 *tx_buf = msg->tx_buf; > > + u32 val = GEN_HTYPE(msg->type); > > + > > + if (msg->tx_len > 0) > > + val |= GEN_HDATA(tx_buf[0]); > > + if (msg->tx_len > 1) > > + val |= GEN_HDATA(tx_buf[1] << 8); > > You should probably update the mask inside GEN_HDATA to mask off 8 bits instead of > 16. Won't that mask off the data written by "tx_buf[1] << 8"?