From: sashiko-bot@kernel.org
To: "Boris Brezillon" <boris.brezillon@collabora.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 08/11] drm/panthor: Drop a needless check in panthor_fw_unplug()
Date: Thu, 25 Jun 2026 12:53:03 +0000 [thread overview]
Message-ID: <20260625125304.2E9BE1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260625-panthor-misc-fixes-v1-8-b67ed973fea6@collabora.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Integer overflow in `panthor_fw_read_build_info` leads to an out-of-bounds read when parsing untrusted firmware.
--
commit 36848cd8008e907cd2d324339568a4a41f683911
Author: Boris Brezillon <boris.brezillon@collabora.com>
drm/panthor: Drop a needless check in panthor_fw_unplug()
panthor_fw_unplug() is only called if we at least managed to initialize
the IRQ, so it's safe to drop the "is IRQ initialized" check.
> diff --git a/drivers/gpu/drm/panthor/panthor_fw.c b/drivers/gpu/drm/panthor/panthor_fw.c
> index 986151681b246..4fbddb9e18c8b 100644
> --- a/drivers/gpu/drm/panthor/panthor_fw.c
> +++ b/drivers/gpu/drm/panthor/panthor_fw.c
[ ... ]
drivers/gpu/drm/panthor/panthor_fw.c:panthor_fw_read_build_info() {
...
if (hdr.meta_start > fw->size ||
hdr.meta_start + hdr.meta_size > fw->size) {
drm_err(&ptdev->base, "Firmware build info corrupt\n");
/* We don't need the build info, so continue */
return 0;
}
if (memcmp(git_sha_header, fw->data + hdr.meta_start, header_len)) {
/* Not the expected header, this isn't metadata we understand */
return 0;
}
/* Check that the git SHA is NULL terminated as expected */
if (fw->data[hdr.meta_start + hdr.meta_size - 1] != '\0') {
...
}
[Severity: High]
This is a pre-existing issue, but does this bounds check use 32-bit
arithmetic that can wrap around before the promotion to size_t?
If an attacker supplies a large meta_size (e.g., 0xFFFFFFFF) and a carefully
chosen meta_start (e.g., 0) such that their sum wraps around, could this
bypass the check since 0 > fw->size evaluates to false?
Execution would then call memcmp() on the attacker-controlled meta_start
offset. If the string matches "git_sha: ", execution proceeds to:
fw->data[hdr.meta_start + hdr.meta_size - 1]
Could this evaluate to fw->data[0xFFFFFFFF] (a 4GB out-of-bounds offset)
and cause a page fault or oops when parsing untrusted firmware?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625-panthor-misc-fixes-v1-0-b67ed973fea6@collabora.com?part=8
next prev parent reply other threads:[~2026-06-25 12:53 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 12:40 [PATCH 00/11] drm/panthor: Misc fixes for bugs found by shashiko Boris Brezillon
2026-06-25 12:40 ` [PATCH 01/11] drm/panthor: Always use the IRQ-safe variant when acquiring the fence lock Boris Brezillon
2026-06-25 12:51 ` sashiko-bot
2026-06-26 9:11 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 02/11] drm/panthor: Keep the reset work disabled until everything is initialized Boris Brezillon
2026-06-25 12:59 ` sashiko-bot
2026-06-26 9:13 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 03/11] drm/panthor: Fix UAF on works queued to panthor_cleanup_wq Boris Brezillon
2026-06-25 12:56 ` sashiko-bot
2026-06-25 14:20 ` Boris Brezillon
2026-06-25 12:40 ` [PATCH 04/11] drm/panthor: Fix potential invalid pointer deref in group_process_tiler_oom() Boris Brezillon
2026-06-25 12:54 ` sashiko-bot
2026-06-26 9:14 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 05/11] drm/panthor: Fix theoretical IOMEM access in suspended state Boris Brezillon
2026-06-26 9:29 ` Liviu Dudau
2026-06-26 11:40 ` Boris Brezillon
2026-06-26 13:13 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 06/11] drm/panthor: Don't overrule pending immediate ticks in sched_resume_tick() Boris Brezillon
2026-06-26 12:45 ` Liviu Dudau
2026-06-26 13:19 ` Boris Brezillon
2026-06-25 12:40 ` [PATCH 07/11] drm/panthor: Fix panthor_pwr_unplug() Boris Brezillon
2026-06-26 12:42 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 08/11] drm/panthor: Drop a needless check in panthor_fw_unplug() Boris Brezillon
2026-06-25 12:53 ` sashiko-bot [this message]
2026-06-26 13:11 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 09/11] drm/panthor: Fix a leak when a group is evicted before the tiler OOM is serviced Boris Brezillon
2026-06-26 13:12 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 10/11] drm/panthor: Interrupt group start/resumption if group_bind_locked() fails Boris Brezillon
2026-06-26 13:14 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 11/11] drm/panthor: Keep interrupts masked until they are needed Boris Brezillon
2026-06-26 13:18 ` Liviu Dudau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625125304.2E9BE1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=boris.brezillon@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.