From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
dri-devel@lists.freedesktop.org,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH AUTOSEL 5.4 004/350] drm/mipi-dbi: fix a loop in debugfs code
Date: Tue, 10 Dec 2019 15:58:16 -0500 [thread overview]
Message-ID: <20191210210402.8367-4-sashal@kernel.org> (raw)
In-Reply-To: <20191210210402.8367-1-sashal@kernel.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit d72cf01f410aa09868d98b672f3f92328c96b32d ]
This code will likely crash if we try to do a zero byte write. The code
looks like this:
/* strip trailing whitespace */
for (i = count - 1; i > 0; i--)
if (isspace(buf[i]))
...
We're writing zero bytes so count = 0. You would think that "count - 1"
would be negative one, but because "i" is unsigned it is a large
positive numer instead. The "i > 0" condition is true and the "buf[i]"
access will be out of bounds.
The fix is to make "i" signed and now everything works as expected. The
upper bound of "count" is capped in __kernel_write() at MAX_RW_COUNT so
we don't have to worry about it being higher than INT_MAX.
Fixes: 02dd95fe3169 ("drm/tinydrm: Add MIPI DBI support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[noralf: Adjust title]
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190821072456.GJ26957@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_mipi_dbi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_mipi_dbi.c b/drivers/gpu/drm/drm_mipi_dbi.c
index 1961f713aaab4..c4ee2709a6f32 100644
--- a/drivers/gpu/drm/drm_mipi_dbi.c
+++ b/drivers/gpu/drm/drm_mipi_dbi.c
@@ -1187,8 +1187,7 @@ static ssize_t mipi_dbi_debugfs_command_write(struct file *file,
struct mipi_dbi_dev *dbidev = m->private;
u8 val, cmd = 0, parameters[64];
char *buf, *pos, *token;
- unsigned int i;
- int ret, idx;
+ int i, ret, idx;
if (!drm_dev_enter(&dbidev->drm, &idx))
return -ENODEV;
--
2.20.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Noralf Trønnes" <noralf@tronnes.org>,
"Sasha Levin" <sashal@kernel.org>,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.4 004/350] drm/mipi-dbi: fix a loop in debugfs code
Date: Tue, 10 Dec 2019 15:58:16 -0500 [thread overview]
Message-ID: <20191210210402.8367-4-sashal@kernel.org> (raw)
In-Reply-To: <20191210210402.8367-1-sashal@kernel.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit d72cf01f410aa09868d98b672f3f92328c96b32d ]
This code will likely crash if we try to do a zero byte write. The code
looks like this:
/* strip trailing whitespace */
for (i = count - 1; i > 0; i--)
if (isspace(buf[i]))
...
We're writing zero bytes so count = 0. You would think that "count - 1"
would be negative one, but because "i" is unsigned it is a large
positive numer instead. The "i > 0" condition is true and the "buf[i]"
access will be out of bounds.
The fix is to make "i" signed and now everything works as expected. The
upper bound of "count" is capped in __kernel_write() at MAX_RW_COUNT so
we don't have to worry about it being higher than INT_MAX.
Fixes: 02dd95fe3169 ("drm/tinydrm: Add MIPI DBI support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[noralf: Adjust title]
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190821072456.GJ26957@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_mipi_dbi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_mipi_dbi.c b/drivers/gpu/drm/drm_mipi_dbi.c
index 1961f713aaab4..c4ee2709a6f32 100644
--- a/drivers/gpu/drm/drm_mipi_dbi.c
+++ b/drivers/gpu/drm/drm_mipi_dbi.c
@@ -1187,8 +1187,7 @@ static ssize_t mipi_dbi_debugfs_command_write(struct file *file,
struct mipi_dbi_dev *dbidev = m->private;
u8 val, cmd = 0, parameters[64];
char *buf, *pos, *token;
- unsigned int i;
- int ret, idx;
+ int i, ret, idx;
if (!drm_dev_enter(&dbidev->drm, &idx))
return -ENODEV;
--
2.20.1
next prev parent reply other threads:[~2019-12-10 21:12 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 20:58 [PATCH AUTOSEL 5.4 001/350] drm/vc4/vc4_hdmi: fill in connector info Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 002/350] drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 003/350] drm: mst: Fix query_payload ack reply struct Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` Sasha Levin [this message]
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 004/350] drm/mipi-dbi: fix a loop in debugfs code Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 005/350] drm/panel: Add missing drm_panel_init() in panel drivers Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 006/350] drm: exynos: exynos_hdmi: use cec_notifier_conn_(un)register Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 007/350] drm: Use EOPNOTSUPP, not ENOTSUPP Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 008/350] drm/amd/display: verify stream link before link test Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 009/350] drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 010/350] drm/amd/display: OTC underflow fix Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 011/350] iio: max31856: add missing of_node and parent references to iio_dev Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 012/350] iio: light: bh1750: Resolve compiler warning and make code more readable Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 013/350] drm/amdgpu/sriov: add ring_stop before ring_create in psp v11 code Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 014/350] drm/amdgpu: grab the id mgr lock while accessing passid_mapping Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 015/350] drm/ttm: return -EBUSY on pipelining with no_gpu_wait (v2) Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 016/350] drm/amd/display: Rebuild mapped resources after pipe split Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 017/350] ath10k: add cleanup in ath10k_sta_state() Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 018/350] drm/amd/display: Handle virtual signal type in disable_link() Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 019/350] iio: tcs3414: fix iio_triggered_buffer_{pre,post}enable positions Sasha Levin
2019-12-15 15:52 ` Jonathan Cameron
2019-12-19 15:22 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 020/350] ath10k: Check if station exists before forwarding tx airtime report Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 021/350] spi: Add call to spi_slave_abort() function when spidev driver is released Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 022/350] drm/meson: vclk: use the correct G12A frac max value Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 023/350] staging: rtl8192u: fix multiple memory leaks on error path Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 024/350] staging: rtl8188eu: fix possible null dereference Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 025/350] objtool: add kunit_try_catch_throw to the noreturn list Sasha Levin
2019-12-10 21:25 ` Brendan Higgins
2019-12-19 15:27 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 026/350] rtlwifi: prevent memory leak in rtl_usb_probe Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 027/350] libertas: fix a potential NULL pointer dereference Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 028/350] Revert "pinctrl: sh-pfc: r8a77990: Fix MOD_SEL1 bit30 when using SSI_SCK2 and SSI_WS2" Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 028/350] Revert "pinctrl: sh-pfc: r8a77990: Fix MOD_SEL1 bit30 when using SSI_SCK Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 029/350] Revert "pinctrl: sh-pfc: r8a77990: Fix MOD_SEL1 bit31 when using SIM0_D" Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 030/350] ath10k: fix backtrace on coredump Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 031/350] IB/iser: bound protection_sg size by data_sg size Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 032/350] drm/komeda: Workaround for broken FLIP_COMPLETE timestamps Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 033/350] spi: gpio: prevent memory leak in spi_gpio_probe Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 034/350] media: am437x-vpfe: Setting STD to current value is not an error Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 035/350] media: cedrus: fill in bus_info for media device Sasha Levin
2019-12-10 20:58 ` Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 036/350] media: seco-cec: Add a missing 'release_region()' in an error handling path Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 037/350] media: vim2m: Fix abort issue Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 038/350] media: vim2m: Fix BUG_ON in vim2m_device_release() Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 039/350] media: max2175: Fix build error without CONFIG_REGMAP_I2C Sasha Levin
2019-12-10 20:58 ` [PATCH AUTOSEL 5.4 040/350] media: ov6650: Fix control handler not freed on init error Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191210210402.8367-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.