* [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
@ 2017-12-09 6:37 Gustavo A. R. Silva
2017-12-11 9:20 ` Zhenyu Wang
0 siblings, 1 reply; 4+ messages in thread
From: Gustavo A. R. Silva @ 2017-12-09 6:37 UTC (permalink / raw)
To: Zhenyu Wang, Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
David Airlie
Cc: intel-gvt-dev, intel-gfx, dri-devel, linux-kernel,
Gustavo A. R. Silva
In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
number as fmt is of type u32, hence there is an out-of-bounds read when
using fmt as an index for array skl_pixel_formats at line 225:
plane->bpp = skl_pixel_formats[fmt].bpp;
Fix this by comparing the value returned by function skl_format_to_drm
against the size of array skl_pixel_formats, so in case it is greater than
or equal to the number of items contained in skl_pixel_formats, print an
error message and return -EINVAL.
Addresses-Coverity-ID: 1462495
Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
index 72f4217..aed578b 100644
--- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
+++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
@@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
val & PLANE_CTL_ORDER_RGBX,
val & PLANE_CTL_ALPHA_MASK,
val & PLANE_CTL_YUV422_ORDER_MASK);
+
+ if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
+ gvt_vgpu_err("Out-of-bounds pixel format index\n");
+ return -EINVAL;
+ }
+
plane->bpp = skl_pixel_formats[fmt].bpp;
plane->drm_format = skl_pixel_formats[fmt].drm_format;
} else {
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
2017-12-09 6:37 [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read Gustavo A. R. Silva
@ 2017-12-11 9:20 ` Zhenyu Wang
0 siblings, 0 replies; 4+ messages in thread
From: Zhenyu Wang @ 2017-12-11 9:20 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: David Airlie, intel-gfx, linux-kernel, dri-devel, Rodrigo Vivi,
intel-gvt-dev
[-- Attachment #1.1: Type: text/plain, Size: 1751 bytes --]
On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
> number as fmt is of type u32, hence there is an out-of-bounds read when
> using fmt as an index for array skl_pixel_formats at line 225:
> plane->bpp = skl_pixel_formats[fmt].bpp;
>
> Fix this by comparing the value returned by function skl_format_to_drm
> against the size of array skl_pixel_formats, so in case it is greater than
> or equal to the number of items contained in skl_pixel_formats, print an
> error message and return -EINVAL.
>
> Addresses-Coverity-ID: 1462495
> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
> drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> index 72f4217..aed578b 100644
> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
> val & PLANE_CTL_ORDER_RGBX,
> val & PLANE_CTL_ALPHA_MASK,
> val & PLANE_CTL_YUV422_ORDER_MASK);
> +
> + if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
> + gvt_vgpu_err("Out-of-bounds pixel format index\n");
> + return -EINVAL;
> + }
> +
> plane->bpp = skl_pixel_formats[fmt].bpp;
> plane->drm_format = skl_pixel_formats[fmt].drm_format;
> } else {
> --
Applied this, thanks!
--
Open Source Technology Center, Intel ltd.
$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
@ 2017-12-11 9:20 ` Zhenyu Wang
0 siblings, 0 replies; 4+ messages in thread
From: Zhenyu Wang @ 2017-12-11 9:20 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
David Airlie, intel-gfx, intel-gvt-dev, linux-kernel, dri-devel
[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]
On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
> number as fmt is of type u32, hence there is an out-of-bounds read when
> using fmt as an index for array skl_pixel_formats at line 225:
> plane->bpp = skl_pixel_formats[fmt].bpp;
>
> Fix this by comparing the value returned by function skl_format_to_drm
> against the size of array skl_pixel_formats, so in case it is greater than
> or equal to the number of items contained in skl_pixel_formats, print an
> error message and return -EINVAL.
>
> Addresses-Coverity-ID: 1462495
> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
> drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> index 72f4217..aed578b 100644
> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu,
> val & PLANE_CTL_ORDER_RGBX,
> val & PLANE_CTL_ALPHA_MASK,
> val & PLANE_CTL_YUV422_ORDER_MASK);
> +
> + if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
> + gvt_vgpu_err("Out-of-bounds pixel format index\n");
> + return -EINVAL;
> + }
> +
> plane->bpp = skl_pixel_formats[fmt].bpp;
> plane->drm_format = skl_pixel_formats[fmt].drm_format;
> } else {
> --
Applied this, thanks!
--
Open Source Technology Center, Intel ltd.
$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read
2017-12-11 9:20 ` Zhenyu Wang
(?)
@ 2017-12-12 20:56 ` Gustavo A. R. Silva
-1 siblings, 0 replies; 4+ messages in thread
From: Gustavo A. R. Silva @ 2017-12-12 20:56 UTC (permalink / raw)
To: Zhenyu Wang
Cc: Zhi Wang, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
David Airlie, intel-gfx, intel-gvt-dev, linux-kernel, dri-devel
Hi Zhenyu,
Quoting Zhenyu Wang <zhenyuw@linux.intel.com>:
> On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote:
>> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge
>> number as fmt is of type u32, hence there is an out-of-bounds read when
>> using fmt as an index for array skl_pixel_formats at line 225:
>> plane->bpp = skl_pixel_formats[fmt].bpp;
>>
>> Fix this by comparing the value returned by function skl_format_to_drm
>> against the size of array skl_pixel_formats, so in case it is greater than
>> or equal to the number of items contained in skl_pixel_formats, print an
>> error message and return -EINVAL.
>>
>> Addresses-Coverity-ID: 1462495
>> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read")
>> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support")
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>> ---
>> drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> b/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> index 72f4217..aed578b 100644
>> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
>> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct
>> intel_vgpu *vgpu,
>> val & PLANE_CTL_ORDER_RGBX,
>> val & PLANE_CTL_ALPHA_MASK,
>> val & PLANE_CTL_YUV422_ORDER_MASK);
>> +
>> + if (fmt >= ARRAY_SIZE(skl_pixel_formats)) {
>> + gvt_vgpu_err("Out-of-bounds pixel format index\n");
>> + return -EINVAL;
>> + }
>> +
>> plane->bpp = skl_pixel_formats[fmt].bpp;
>> plane->drm_format = skl_pixel_formats[fmt].drm_format;
>> } else {
>> --
>
> Applied this, thanks!
>
Glad to help. :)
Thanks
--
Gustavo A. R. Silva
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-12 20:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-09 6:37 [PATCH] drm/i915/gvt/fb_decoder: Fix out-of-bounds read Gustavo A. R. Silva
2017-12-11 9:20 ` Zhenyu Wang
2017-12-11 9:20 ` Zhenyu Wang
2017-12-12 20:56 ` Gustavo A. R. Silva
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.