From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Tomas Winkler <tomas.winkler@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alexander Usyskin <alexander.usyskin@intel.com>,
linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Ramalingam C <ramalingam.c@intel.com>,
stable@vger.kernel.org
Subject: Re: [char-misc-next V4] mei: hdcp: fix mei_hdcp_verify_mprime() input parameter
Date: Thu, 30 Jul 2020 17:52:10 -0500 [thread overview]
Message-ID: <20200730225210.GA1726@embeddedor> (raw)
In-Reply-To: <20200730220139.3642424-1-tomas.winkler@intel.com>
On Fri, Jul 31, 2020 at 01:01:39AM +0300, Tomas Winkler wrote:
> wired_cmd_repeater_auth_stream_req_in has a variable
> length array at the end. we use struct_size() overflow
> macro to determine the size for the allocation and sending
> size.
> This also fixes bug in case number of streams is > 0 in the original
> submission. This bug was not triggered as the number of streams is
> always one.
>
> Fixes: c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member)
> Fixes: commit 0a1af1b5c18d ("misc/mei/hdcp: Verify M_prime")
^^^^
I think the _commit_ word above is unnecessary.
> Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> Cc: Ramalingam C <ramalingam.c@intel.com>
> Cc: <stable@vger.kernel.org> v5.1+
Greg,
Notice that this patch is fine as is for -next, only. This becomes suitable
for -stable as long as commit c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member)
is applied to -stable, too. Otherwise, a separate patch that leaves the
one-element array in struct wired_cmd_repeater_auth_stream_req_in in place
needs to be crafted. With this taken into account, here is my
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks for the changes, Tomas.
--
Gustavo
> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> ---
> V4:
> 1. Fix typo in the subject. (Gustavo)
> 2. Fix dereferencing pointer in send. (Gustavo)
> V3:
> 1. Fix commit message with more info and another patch it fixes (Gustavo)
> 2. Target stable. (Gustavo)
> V2: Check for allocation failure.
>
> drivers/misc/mei/hdcp/mei_hdcp.c | 40 +++++++++++++++++++-------------
> 1 file changed, 24 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/misc/mei/hdcp/mei_hdcp.c b/drivers/misc/mei/hdcp/mei_hdcp.c
> index d1d3e025ca0e..9ae9669e46ea 100644
> --- a/drivers/misc/mei/hdcp/mei_hdcp.c
> +++ b/drivers/misc/mei/hdcp/mei_hdcp.c
> @@ -546,38 +546,46 @@ static int mei_hdcp_verify_mprime(struct device *dev,
> struct hdcp_port_data *data,
> struct hdcp2_rep_stream_ready *stream_ready)
> {
> - struct wired_cmd_repeater_auth_stream_req_in
> - verify_mprime_in = { { 0 } };
> + struct wired_cmd_repeater_auth_stream_req_in *verify_mprime_in;
> struct wired_cmd_repeater_auth_stream_req_out
> verify_mprime_out = { { 0 } };
> struct mei_cl_device *cldev;
> ssize_t byte;
> + size_t cmd_size;
>
> if (!dev || !stream_ready || !data)
> return -EINVAL;
>
> cldev = to_mei_cl_device(dev);
>
> - verify_mprime_in.header.api_version = HDCP_API_VERSION;
> - verify_mprime_in.header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ;
> - verify_mprime_in.header.status = ME_HDCP_STATUS_SUCCESS;
> - verify_mprime_in.header.buffer_len =
> + cmd_size = struct_size(verify_mprime_in, streams, data->k);
> + if (cmd_size == SIZE_MAX)
> + return -EINVAL;
> +
> + verify_mprime_in = kzalloc(cmd_size, GFP_KERNEL);
> + if (!verify_mprime_in)
> + return -ENOMEM;
> +
> + verify_mprime_in->header.api_version = HDCP_API_VERSION;
> + verify_mprime_in->header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ;
> + verify_mprime_in->header.status = ME_HDCP_STATUS_SUCCESS;
> + verify_mprime_in->header.buffer_len =
> WIRED_CMD_BUF_LEN_REPEATER_AUTH_STREAM_REQ_MIN_IN;
>
> - verify_mprime_in.port.integrated_port_type = data->port_type;
> - verify_mprime_in.port.physical_port = (u8)data->fw_ddi;
> - verify_mprime_in.port.attached_transcoder = (u8)data->fw_tc;
> + verify_mprime_in->port.integrated_port_type = data->port_type;
> + verify_mprime_in->port.physical_port = (u8)data->fw_ddi;
> + verify_mprime_in->port.attached_transcoder = (u8)data->fw_tc;
> +
> + memcpy(verify_mprime_in->m_prime, stream_ready->m_prime, HDCP_2_2_MPRIME_LEN);
> + drm_hdcp_cpu_to_be24(verify_mprime_in->seq_num_m, data->seq_num_m);
>
> - memcpy(verify_mprime_in.m_prime, stream_ready->m_prime,
> - HDCP_2_2_MPRIME_LEN);
> - drm_hdcp_cpu_to_be24(verify_mprime_in.seq_num_m, data->seq_num_m);
> - memcpy(verify_mprime_in.streams, data->streams,
> + memcpy(verify_mprime_in->streams, data->streams,
> array_size(data->k, sizeof(*data->streams)));
>
> - verify_mprime_in.k = cpu_to_be16(data->k);
> + verify_mprime_in->k = cpu_to_be16(data->k);
>
> - byte = mei_cldev_send(cldev, (u8 *)&verify_mprime_in,
> - sizeof(verify_mprime_in));
> + byte = mei_cldev_send(cldev, (u8 *)verify_mprime_in, cmd_size);
> + kfree(verify_mprime_in);
> if (byte < 0) {
> dev_dbg(dev, "mei_cldev_send failed. %zd\n", byte);
> return byte;
> --
> 2.25.4
>
prev parent reply other threads:[~2020-07-30 22:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 22:01 [char-misc-next V4] mei: hdcp: fix mei_hdcp_verify_mprime() input parameter Tomas Winkler
2020-07-30 22:52 ` Gustavo A. R. Silva [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200730225210.GA1726@embeddedor \
--to=gustavoars@kernel.org \
--cc=alexander.usyskin@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ramalingam.c@intel.com \
--cc=stable@vger.kernel.org \
--cc=tomas.winkler@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.