* [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. @ 2021-10-11 20:21 docfate111 2021-10-11 20:24 ` Fwd: " T. Williams 0 siblings, 1 reply; 5+ messages in thread From: docfate111 @ 2021-10-11 20:21 UTC (permalink / raw) To: dri-devel; +Cc: harry.wentland, sunpeng.li Signed-off-by: docfate111 <tdwilliamsiv@gmail.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c index 87daa78a32b8..17f2756a64dc 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf, if (!wr_buf) return -ENOSPC; - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, ¶m_nums)) { -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. 2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111 @ 2021-10-11 20:24 ` T. Williams 2021-10-12 7:18 ` Christian König 0 siblings, 1 reply; 5+ messages in thread From: T. Williams @ 2021-10-11 20:24 UTC (permalink / raw) To: airlied, daniel, Wayne.Lin, mikita.lipski, Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo, victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob, amd-gfx [-- Attachment #1: Type: text/plain, Size: 1344 bytes --] ---------- Forwarded message --------- From: docfate111 <tdwilliamsiv@gmail.com> Date: Mon, Oct 11, 2021 at 4:22 PM Subject: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. To: <dri-devel@lists.freedesktop.org> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c index 87daa78a32b8..17f2756a64dc 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf, if (!wr_buf) return -ENOSPC; - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, ¶m_nums)) { -- 2.25.1 -- Thank you for your time, Thelford Williams [-- Attachment #2: Type: text/html, Size: 2145 bytes --] ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. 2021-10-11 20:24 ` Fwd: " T. Williams @ 2021-10-12 7:18 ` Christian König 2021-10-12 20:41 ` T. Williams 0 siblings, 1 reply; 5+ messages in thread From: Christian König @ 2021-10-12 7:18 UTC (permalink / raw) To: T. Williams, airlied, daniel, Wayne.Lin, mikita.lipski, Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo, victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob, amd-gfx [-- Attachment #1: Type: text/plain, Size: 2115 bytes --] Am 11.10.21 um 22:24 schrieb T. Williams: > > > ---------- Forwarded message --------- > From: *docfate111* <tdwilliamsiv@gmail.com > <mailto:tdwilliamsiv@gmail.com>> > Date: Mon, Oct 11, 2021 at 4:22 PM > Subject: [PATCH] Size can be any value and is user controlled > resulting in overwriting the 40 byte array wr_buf with an arbitrary > length of data from buf. > To: <dri-devel@lists.freedesktop.org > <mailto:dri-devel@lists.freedesktop.org>> > Cc: <harry.wentland@amd.com <mailto:harry.wentland@amd.com>>, > <sunpeng.li@amd.com <mailto:sunpeng.li@amd.com>> > > > Signed-off-by: docfate111 <tdwilliamsiv@gmail.com > <mailto:tdwilliamsiv@gmail.com>> While the find might be correct there are a couple of style problems with the patch. First of all the subject line must be shorter and should be something like "drm/amdgpu: fix out of bounds write". The detailed description of the bug then comes into the commit message. And finally please use your real name for the Signed-off-by line. Apart from that good catch, Christian. > --- > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > index 87daa78a32b8..17f2756a64dc 100644 > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file > *f, const char __user *buf, > if (!wr_buf) > return -ENOSPC; > > - if (parse_write_buffer_into_params(wr_buf, size, > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, > (long *)param, buf, > max_param_num, > ¶m_nums)) { > -- > 2.25.1 > > > > -- > Thank you for your time, > Thelford Williams [-- Attachment #2: Type: text/html, Size: 4004 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. 2021-10-12 7:18 ` Christian König @ 2021-10-12 20:41 ` T. Williams 2021-10-12 20:56 ` Alex Deucher 0 siblings, 1 reply; 5+ messages in thread From: T. Williams @ 2021-10-12 20:41 UTC (permalink / raw) To: Christian König Cc: airlied, Daniel Vetter, Wayne.Lin, mikita.lipski, Nicholas.Kazlauskas, stylon.wang, eryk.brol, Jerry.Zuo, victorchengchi.lu, aurabindo.pillai, nirmoy.das, Anson.Jacob, amd-gfx [-- Attachment #1: Type: text/plain, Size: 2471 bytes --] Should I resubmit the patch email with correct formatting? MITRE assigned this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability reports? Do I need to email someone else or something(sorry for dumb questions this is my first time doing this and I don't know what to do)? I am trying to do step 11 from here: https://cve.mitre.org/cve/researcher_reservation_guidelines. On Tue, Oct 12, 2021 at 3:18 AM Christian König < ckoenig.leichtzumerken@gmail.com> wrote: > Am 11.10.21 um 22:24 schrieb T. Williams: > > > > ---------- Forwarded message --------- > From: docfate111 <tdwilliamsiv@gmail.com> > Date: Mon, Oct 11, 2021 at 4:22 PM > Subject: [PATCH] Size can be any value and is user controlled resulting in > overwriting the 40 byte array wr_buf with an arbitrary length of data from > buf. > To: <dri-devel@lists.freedesktop.org> > Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com> > > > Signed-off-by: docfate111 <tdwilliamsiv@gmail.com> > > > While the find might be correct there are a couple of style problems with > the patch. > > First of all the subject line must be shorter and should be something like > "drm/amdgpu: fix out of bounds write". > > The detailed description of the bug then comes into the commit message. > > And finally please use your real name for the Signed-off-by line. > > Apart from that good catch, > Christian. > > --- > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > index 87daa78a32b8..17f2756a64dc 100644 > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, > const char __user *buf, > if (!wr_buf) > return -ENOSPC; > > - if (parse_write_buffer_into_params(wr_buf, size, > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, > (long *)param, buf, > max_param_num, > ¶m_nums)) { > -- > 2.25.1 > > > > -- > Thank you for your time, > Thelford Williams > > > -- Thank you for your time, Thelford Williams [-- Attachment #2: Type: text/html, Size: 4599 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. 2021-10-12 20:41 ` T. Williams @ 2021-10-12 20:56 ` Alex Deucher 0 siblings, 0 replies; 5+ messages in thread From: Alex Deucher @ 2021-10-12 20:56 UTC (permalink / raw) To: T. Williams Cc: Christian König, Dave Airlie, Daniel Vetter, Wayne Lin, Lipski, Mikita, Kazlauskas, Nicholas, Stylon Wang, Eryk Brol, Jerry Zuo, Victor Lu, Aurabindo Pillai, Nirmoy Das, Anson Jacob, amd-gfx list On Tue, Oct 12, 2021 at 4:45 PM T. Williams <tdwilliamsiv@gmail.com> wrote: > > Should I resubmit the patch email with correct formatting? MITRE assigned this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability reports? Do I need to email someone else or something(sorry for dumb questions this is my first time doing this and I don't know what to do)? > I am trying to do step 11 from here: https://cve.mitre.org/cve/researcher_reservation_guidelines. Just resend the fixed up patch using git-send-email and we'll apply it. Alex > > On Tue, Oct 12, 2021 at 3:18 AM Christian König <ckoenig.leichtzumerken@gmail.com> wrote: >> >> Am 11.10.21 um 22:24 schrieb T. Williams: >> >> >> >> ---------- Forwarded message --------- >> From: docfate111 <tdwilliamsiv@gmail.com> >> Date: Mon, Oct 11, 2021 at 4:22 PM >> Subject: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. >> To: <dri-devel@lists.freedesktop.org> >> Cc: <harry.wentland@amd.com>, <sunpeng.li@amd.com> >> >> >> Signed-off-by: docfate111 <tdwilliamsiv@gmail.com> >> >> >> While the find might be correct there are a couple of style problems with the patch. >> >> First of all the subject line must be shorter and should be something like "drm/amdgpu: fix out of bounds write". >> >> The detailed description of the bug then comes into the commit message. >> >> And finally please use your real name for the Signed-off-by line. >> >> Apart from that good catch, >> Christian. >> >> --- >> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c >> index 87daa78a32b8..17f2756a64dc 100644 >> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c >> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c >> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf, >> if (!wr_buf) >> return -ENOSPC; >> >> - if (parse_write_buffer_into_params(wr_buf, size, >> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, >> (long *)param, buf, >> max_param_num, >> ¶m_nums)) { >> -- >> 2.25.1 >> >> >> >> -- >> Thank you for your time, >> Thelford Williams >> >> > > > -- > Thank you for your time, > Thelford Williams ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-12 20:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-11 20:21 [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf docfate111 2021-10-11 20:24 ` Fwd: " T. Williams 2021-10-12 7:18 ` Christian König 2021-10-12 20:41 ` T. Williams 2021-10-12 20:56 ` Alex Deucher
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.