From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sean Paul Subject: Re: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf Date: Mon, 30 Jan 2017 15:09:55 -0500 Message-ID: <20170130200955.GL20076@art_vandelay> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> <20170130181636.1bc81e86.john@metanate.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <20170130181636.1bc81e86.john@metanate.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: John Keeping Cc: Chris Zhong , linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org List-Id: linux-rockchip.vger.kernel.org T24gTW9uLCBKYW4gMzAsIDIwMTcgYXQgMDY6MTY6MzZQTSArMDAwMCwgSm9obiBLZWVwaW5nIHdy b3RlOgo+IE9uIE1vbiwgMzAgSmFuIDIwMTcgMTM6MDE6NDYgLTA1MDAsIFNlYW4gUGF1bCB3cm90 ZToKPiAKPiA+IE9uIFN1biwgSmFuIDI5LCAyMDE3IGF0IDAxOjI0OjI2UE0gKzAwMDAsIEpvaG4g S2VlcGluZyB3cm90ZToKPiA+ID4gQXMgYSBzaWRlLWVmZmVjdCBvZiB0aGlzLCBlbmNvZGUgdGhl IGVuZGlhbm5lc3MgZXhwbGljaXRseSByYXRoZXIgdGhhbgo+ID4gPiBjYXN0aW5nIGEgdTE2Lgo+ ID4gPiAKPiA+ID4gU2lnbmVkLW9mZi1ieTogSm9obiBLZWVwaW5nIDxqb2huQG1ldGFuYXRlLmNv bT4KPiA+ID4gUmV2aWV3ZWQtYnk6IENocmlzIFpob25nIDx6eXdAcm9jay1jaGlwcy5jb20+Cj4g PiA+IC0tLQo+ID4gPiB2MzoKPiA+ID4gLSBBZGQgQ2hyaXMnIFJldmlld2VkLWJ5Cj4gPiA+IFVu Y2hhbmdlZCBpbiB2Mgo+ID4gPiAKPiA+ID4gIGRyaXZlcnMvZ3B1L2RybS9yb2NrY2hpcC9kdy1t aXBpLWRzaS5jIHwgOSArKysrKysrLS0KPiA+ID4gIDEgZmlsZSBjaGFuZ2VkLCA3IGluc2VydGlv bnMoKyksIDIgZGVsZXRpb25zKC0pCj4gPiA+IAo+ID4gPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy9n cHUvZHJtL3JvY2tjaGlwL2R3LW1pcGktZHNpLmMgYi9kcml2ZXJzL2dwdS9kcm0vcm9ja2NoaXAv ZHctbWlwaS1kc2kuYwo+ID4gPiBpbmRleCA0YmUxZmYzYTQyYmIuLjJlNmFkNDU5MWViZiAxMDA2 NDQKPiA+ID4gLS0tIGEvZHJpdmVycy9ncHUvZHJtL3JvY2tjaGlwL2R3LW1pcGktZHNpLmMKPiA+ ID4gKysrIGIvZHJpdmVycy9ncHUvZHJtL3JvY2tjaGlwL2R3LW1pcGktZHNpLmMKPiA+ID4gQEAg LTU3Miw4ICs1NzIsMTMgQEAgc3RhdGljIGludCBkd19taXBpX2RzaV9nZW5fcGt0X2hkcl93cml0 ZShzdHJ1Y3QgZHdfbWlwaV9kc2kgKmRzaSwgdTMyIGhkcl92YWwpCj4gPiA+ICBzdGF0aWMgaW50 IGR3X21pcGlfZHNpX2Rjc19zaG9ydF93cml0ZShzdHJ1Y3QgZHdfbWlwaV9kc2kgKmRzaSwKPiA+ ID4gIAkJCQkgICAgICAgY29uc3Qgc3RydWN0IG1pcGlfZHNpX21zZyAqbXNnKQo+ID4gPiAgewo+ ID4gPiAtCWNvbnN0IHUxNiAqdHhfYnVmID0gbXNnLT50eF9idWY7Cj4gPiA+IC0JdTMyIHZhbCA9 IEdFTl9IREFUQSgqdHhfYnVmKSB8IEdFTl9IVFlQRShtc2ctPnR5cGUpOwo+ID4gPiArCWNvbnN0 IHU4ICp0eF9idWYgPSBtc2ctPnR4X2J1ZjsKPiA+ID4gKwl1MzIgdmFsID0gR0VOX0hUWVBFKG1z Zy0+dHlwZSk7Cj4gPiA+ICsKPiA+ID4gKwlpZiAobXNnLT50eF9sZW4gPiAwKQo+ID4gPiArCQl2 YWwgfD0gR0VOX0hEQVRBKHR4X2J1ZlswXSk7Cj4gPiA+ICsJaWYgKG1zZy0+dHhfbGVuID4gMSkK PiA+ID4gKwkJdmFsIHw9IEdFTl9IREFUQSh0eF9idWZbMV0gPDwgOCk7ICAKPiA+IAo+ID4gWW91 IHNob3VsZCBwcm9iYWJseSB1cGRhdGUgdGhlIG1hc2sgaW5zaWRlIEdFTl9IREFUQSB0byBtYXNr IG9mZiA4IGJpdHMgaW5zdGVhZCBvZgo+ID4gMTYuCj4gCj4gV29uJ3QgdGhhdCBtYXNrIG9mZiB0 aGUgZGF0YSB3cml0dGVuIGJ5ICJ0eF9idWZbMV0gPDwgOCI/CgpJIHdvdWxkIG1vdmUgdGhlIHNo aWZ0IG91dHNpZGUgdGhlIG1hc2ssIGllOgoKdmFsIHw9IEdFTl9IREFUQSh0eF9idWZbMV0pIDw8 IDg7CgpTZWFuCgo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fCj4gZHJpLWRldmVsIG1haWxpbmcgbGlzdAo+IGRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3Rv cC5vcmcKPiBodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2Ry aS1kZXZlbAoKLS0gClNlYW4gUGF1bCwgU29mdHdhcmUgRW5naW5lZXIsIEdvb2dsZSAvIENocm9t aXVtIE9TCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmRy aS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRw czovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 From: seanpaul@chromium.org (Sean Paul) Date: Mon, 30 Jan 2017 15:09:55 -0500 Subject: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf In-Reply-To: <20170130181636.1bc81e86.john@metanate.com> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> <20170130181636.1bc81e86.john@metanate.com> Message-ID: <20170130200955.GL20076@art_vandelay> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Mon, Jan 30, 2017 at 06:16:36PM +0000, John Keeping wrote: > On Mon, 30 Jan 2017 13:01:46 -0500, Sean Paul wrote: > > > On Sun, Jan 29, 2017 at 01:24:26PM +0000, John Keeping wrote: > > > As a side-effect of this, encode the endianness explicitly rather than > > > casting a u16. > > > > > > Signed-off-by: John Keeping > > > Reviewed-by: Chris Zhong > > > --- > > > v3: > > > - Add Chris' Reviewed-by > > > Unchanged in v2 > > > > > > drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 9 +++++++-- > > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > index 4be1ff3a42bb..2e6ad4591ebf 100644 > > > --- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > +++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > @@ -572,8 +572,13 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val) > > > static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi, > > > const struct mipi_dsi_msg *msg) > > > { > > > - const u16 *tx_buf = msg->tx_buf; > > > - u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type); > > > + const u8 *tx_buf = msg->tx_buf; > > > + u32 val = GEN_HTYPE(msg->type); > > > + > > > + if (msg->tx_len > 0) > > > + val |= GEN_HDATA(tx_buf[0]); > > > + if (msg->tx_len > 1) > > > + val |= GEN_HDATA(tx_buf[1] << 8); > > > > You should probably update the mask inside GEN_HDATA to mask off 8 bits instead of > > 16. > > Won't that mask off the data written by "tx_buf[1] << 8"? I would move the shift outside the mask, ie: val |= GEN_HDATA(tx_buf[1]) << 8; Sean > _______________________________________________ > dri-devel mailing list > dri-devel at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Sean Paul, Software Engineer, Google / Chromium OS From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754274AbdA3UKX (ORCPT ); Mon, 30 Jan 2017 15:10:23 -0500 Received: from mail-qk0-f178.google.com ([209.85.220.178]:36025 "EHLO mail-qk0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752362AbdA3UKV (ORCPT ); Mon, 30 Jan 2017 15:10:21 -0500 Date: Mon, 30 Jan 2017 15:09:55 -0500 From: Sean Paul To: John Keeping Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-rockchip@lists.infradead.org, Chris Zhong , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v3 06/24] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf Message-ID: <20170130200955.GL20076@art_vandelay> References: <20170129132444.25251-1-john@metanate.com> <20170129132444.25251-7-john@metanate.com> <20170130180146.GG20076@art_vandelay> <20170130181636.1bc81e86.john@metanate.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170130181636.1bc81e86.john@metanate.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 30, 2017 at 06:16:36PM +0000, John Keeping wrote: > On Mon, 30 Jan 2017 13:01:46 -0500, Sean Paul wrote: > > > On Sun, Jan 29, 2017 at 01:24:26PM +0000, John Keeping wrote: > > > As a side-effect of this, encode the endianness explicitly rather than > > > casting a u16. > > > > > > Signed-off-by: John Keeping > > > Reviewed-by: Chris Zhong > > > --- > > > v3: > > > - Add Chris' Reviewed-by > > > Unchanged in v2 > > > > > > drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 9 +++++++-- > > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > index 4be1ff3a42bb..2e6ad4591ebf 100644 > > > --- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > +++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c > > > @@ -572,8 +572,13 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val) > > > static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi, > > > const struct mipi_dsi_msg *msg) > > > { > > > - const u16 *tx_buf = msg->tx_buf; > > > - u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type); > > > + const u8 *tx_buf = msg->tx_buf; > > > + u32 val = GEN_HTYPE(msg->type); > > > + > > > + if (msg->tx_len > 0) > > > + val |= GEN_HDATA(tx_buf[0]); > > > + if (msg->tx_len > 1) > > > + val |= GEN_HDATA(tx_buf[1] << 8); > > > > You should probably update the mask inside GEN_HDATA to mask off 8 bits instead of > > 16. > > Won't that mask off the data written by "tx_buf[1] << 8"? I would move the shift outside the mask, ie: val |= GEN_HDATA(tx_buf[1]) << 8; Sean > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Sean Paul, Software Engineer, Google / Chromium OS