All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
@ 2017-12-09  6:37 Gustavo A. R. Silva
  2017-12-11  9:20   ` Zhenyu Wang
  0 siblings, 1 reply; 4+ messages in thread
From: Gustavo A. R. Silva @ 2017-12-09  6:37 UTC (permalink / raw)
  To: Zhenyu Wang, Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
	David Airlie
  Cc: intel-gvt-dev, intel-gfx, dri-devel, linux-kernel,
	Gustavo A. R. Silva

In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
number as fmt is of type u32, hence there is an out-of-bounds read when
using fmt as an index for array skl_pixel_formats at line 225:
plane->bpp = skl_pixel_formats[fmt].bpp;

Fix this by comparing the value returned by function skl_format_to_drm
against the size of array skl_pixel_formats, so in case it is greater than
or equal to the number of items contained in skl_pixel_formats, print an
error message and return -EINVAL.

Addresses-Coverity-ID: 1462495
Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
index 72f4217..aed578b 100644
--- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
+++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
@@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
 			val & PLANE_CTL_ORDER_RGBX,
 			val & PLANE_CTL_ALPHA_MASK,
 			val & PLANE_CTL_YUV422_ORDER_MASK);
+
+		if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
+			gvt_vgpu_err("Out-of-bounds pixel format index\n");
+			return -EINVAL;
+		}
+
 		plane->bpp = skl_pixel_formats[fmt].bpp;
 		plane->drm_format = skl_pixel_formats[fmt].drm_format;
 	} else {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
  2017-12-09  6:37 [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read Gustavo A. R. Silva
@ 2017-12-11  9:20   ` Zhenyu Wang
  0 siblings, 0 replies; 4+ messages in thread
From: Zhenyu Wang @ 2017-12-11  9:20 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: David Airlie, intel-gfx, linux-kernel, dri-devel, Rodrigo Vivi,
	intel-gvt-dev


[-- Attachment #1.1: Type: text/plain, Size: 1751 bytes --]

On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
> number as fmt is of type u32, hence there is an out-of-bounds read when
> using fmt as an index for array skl_pixel_formats at line 225:
> plane->bpp = skl_pixel_formats[fmt].bpp;
> 
> Fix this by comparing the value returned by function skl_format_to_drm
> against the size of array skl_pixel_formats, so in case it is greater than
> or equal to the number of items contained in skl_pixel_formats, print an
> error message and return -EINVAL.
> 
> Addresses-Coverity-ID: 1462495
> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
>  drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> index 72f4217..aed578b 100644
> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
>  			val & PLANE_CTL_ORDER_RGBX,
>  			val & PLANE_CTL_ALPHA_MASK,
>  			val & PLANE_CTL_YUV422_ORDER_MASK);
> +
> +		if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
> +			gvt_vgpu_err("Out-of-bounds pixel format index\n");
> +			return -EINVAL;
> +		}
> +
>  		plane->bpp = skl_pixel_formats[fmt].bpp;
>  		plane->drm_format = skl_pixel_formats[fmt].drm_format;
>  	} else {
> -- 

Applied this, thanks!

-- 
Open Source Technology Center, Intel ltd.

$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
@ 2017-12-11  9:20   ` Zhenyu Wang
  0 siblings, 0 replies; 4+ messages in thread
From: Zhenyu Wang @ 2017-12-11  9:20 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
	David Airlie, intel-gfx, intel-gvt-dev, linux-kernel, dri-devel

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
> number as fmt is of type u32, hence there is an out-of-bounds read when
> using fmt as an index for array skl_pixel_formats at line 225:
> plane->bpp = skl_pixel_formats[fmt].bpp;
> 
> Fix this by comparing the value returned by function skl_format_to_drm
> against the size of array skl_pixel_formats, so in case it is greater than
> or equal to the number of items contained in skl_pixel_formats, print an
> error message and return -EINVAL.
> 
> Addresses-Coverity-ID: 1462495
> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
>  drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> index 72f4217..aed578b 100644
> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
>  			val & PLANE_CTL_ORDER_RGBX,
>  			val & PLANE_CTL_ALPHA_MASK,
>  			val & PLANE_CTL_YUV422_ORDER_MASK);
> +
> +		if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
> +			gvt_vgpu_err("Out-of-bounds pixel format index\n");
> +			return -EINVAL;
> +		}
> +
>  		plane->bpp = skl_pixel_formats[fmt].bpp;
>  		plane->drm_format = skl_pixel_formats[fmt].drm_format;
>  	} else {
> -- 

Applied this, thanks!

-- 
Open Source Technology Center, Intel ltd.

$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
  2017-12-11  9:20   ` Zhenyu Wang
  (?)
@ 2017-12-12 20:56   ` Gustavo A. R. Silva
  -1 siblings, 0 replies; 4+ messages in thread
From: Gustavo A. R. Silva @ 2017-12-12 20:56 UTC (permalink / raw)
  To: Zhenyu Wang
  Cc: Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
	David Airlie, intel-gfx, intel-gvt-dev, linux-kernel, dri-devel

Hi Zhenyu,

Quoting Zhenyu Wang <zhenyuw@linux.intel.com>:

> On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
>> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
>> number as fmt is of type u32, hence there is an out-of-bounds read when
>> using fmt as an index for array skl_pixel_formats at line 225:
>> plane->bpp = skl_pixel_formats[fmt].bpp;
>>
>> Fix this by comparing the value returned by function skl_format_to_drm
>> against the size of array skl_pixel_formats, so in case it is greater than
>> or equal to the number of items contained in skl_pixel_formats, print an
>> error message and return -EINVAL.
>>
>> Addresses-Coverity-ID: 1462495
>> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
>> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>> ---
>>  drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c  
>> b/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> index 72f4217..aed578b 100644
>> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct  
>> intel_vgpu *vgpu,
>>  			val & PLANE_CTL_ORDER_RGBX,
>>  			val & PLANE_CTL_ALPHA_MASK,
>>  			val & PLANE_CTL_YUV422_ORDER_MASK);
>> +
>> +		if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
>> +			gvt_vgpu_err("Out-of-bounds pixel format index\n");
>> +			return -EINVAL;
>> +		}
>> +
>>  		plane->bpp = skl_pixel_formats[fmt].bpp;
>>  		plane->drm_format = skl_pixel_formats[fmt].drm_format;
>>  	} else {
>> --
>
> Applied this, thanks!
>

Glad to help. :)

Thanks
--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-12 20:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-09  6:37 [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read Gustavo A. R. Silva
2017-12-11  9:20 ` Zhenyu Wang
2017-12-11  9:20   ` Zhenyu Wang
2017-12-12 20:56   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.