From: sashiko-bot@kernel.org
To: "Damon Ding" <damon.ding@rock-chips.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v4 2/3] drm/bridge: analogix_dp: Add validation for samsung,lane-count property
Date: Fri, 29 May 2026 05:31:47 +0000 [thread overview]
Message-ID: <20260529053147.8F2871F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529040530.741336-3-damon.ding@rock-chips.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The bounds check for `samsung,lane-count` incorrectly accepts invalid lane counts (like 3) and can be entirely bypassed with large values due to signed comparison, leaving a heap overflow vulnerability unfixed.
--
commit f84cb246760d7a4c631b55b3c7a41c458926dcf4
Author: Damon Ding <damon.ding@rock-chips.com>
drm/bridge: analogix_dp: Add validation for samsung,lane-count property
This patch adds a range check for the samsung,lane-count device tree property
to avoid invalid values. The validation is only applied when the property
exists to maintain backward compatibility.
> diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
> --- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
> +++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
[ ... ]
> @@ -1260,8 +1261,16 @@ static int analogix_dp_dt_parse_pdata(struct analogix_dp_device *dp)
> */
> of_property_read_u32(dp_node, "samsung,link-rate",
> &video_info->max_link_rate);
> - of_property_read_u32(dp_node, "samsung,lane-count",
> - &video_info->max_lane_count);
> + ret = of_property_read_u32(dp_node, "samsung,lane-count",
> + &video_info->max_lane_count);
> + if (!ret) {
> + if (video_info->max_lane_count == 0 ||
> + video_info->max_lane_count > LANE_COUNT4) {
[Severity: High]
This is a pre-existing issue, but does this bounds check effectively
prevent all invalid lane counts?
Since max_lane_count is defined as an enum link_lane_count_type, on ARM
architectures (following AAPCS) enums without negative values that fit in a
signed int are represented as signed int. If of_property_read_u32 writes
a large unsigned value like 0xFFFFFFFF into this enum, it is interpreted
as -1. The signed comparison -1 > 4 evaluates to false, which bypasses
the validation.
When this large value is cast back to u32 later in the driver, it could
allow dp->link_train.lane_count to remain at a malicious value read from
the sink's DPCD, eventually leading to a heap buffer overflow when
initializing the cr_loop array which is sized for only 4 elements.
Additionally, does this check inadvertently allow 3, which is an invalid
DisplayPort lane count?
Would it be safer to read the property into a local u32 variable, validate
it strictly, and only then assign it to video_info->max_lane_count?
> + dev_err(dp->dev, "samsung,lane-count = %d is out of range\n",
> + video_info->max_lane_count);
> + return -EINVAL;
> + }
> + }
> break;
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260529040530.741336-1-damon.ding@rock-chips.com?part=2
next prev parent reply other threads:[~2026-05-29 5:31 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 4:05 [PATCH v4 0/3] Add eDP lane mapping support Damon Ding
2026-05-29 4:05 ` Damon Ding
2026-05-29 4:05 ` [PATCH v4 1/3] dt-bindings: display: bridge: analogix-dp: Add data-lanes support for endpoint Damon Ding
2026-05-29 4:05 ` Damon Ding
2026-05-29 4:46 ` sashiko-bot
2026-05-29 16:43 ` Conor Dooley
2026-05-29 16:43 ` Conor Dooley
2026-06-01 11:55 ` Sebastian Reichel
2026-06-01 11:55 ` Sebastian Reichel
2026-05-29 4:05 ` [PATCH v4 2/3] drm/bridge: analogix_dp: Add validation for samsung, lane-count property Damon Ding
2026-05-29 4:05 ` [PATCH v4 2/3] drm/bridge: analogix_dp: Add validation for samsung,lane-count property Damon Ding
2026-05-29 4:05 ` Damon Ding
2026-05-29 5:31 ` sashiko-bot [this message]
2026-05-30 13:33 ` Luca Ceresoli
2026-05-30 13:33 ` Luca Ceresoli
2026-05-30 13:38 ` Luca Ceresoli
2026-05-30 13:38 ` Luca Ceresoli
2026-06-01 2:59 ` Damon Ding
2026-06-01 2:59 ` Damon Ding
2026-06-01 12:02 ` Luca Ceresoli
2026-06-01 12:02 ` Luca Ceresoli
2026-06-01 12:24 ` Damon Ding
2026-06-01 12:24 ` Damon Ding
2026-05-29 4:05 ` [PATCH v4 3/3] drm/bridge: analogix_dp: Add support for optional data-lanes mapping Damon Ding
2026-05-29 4:05 ` Damon Ding
2026-05-29 5:56 ` sashiko-bot
2026-06-01 11:59 ` Sebastian Reichel
2026-06-01 11:59 ` Sebastian Reichel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529053147.8F2871F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=damon.ding@rock-chips.com \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.