Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jani Nikula <jani.nikula@intel.com>
To: sashiko-reviews@lists.linux.dev
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size
Date: Wed, 10 Jun 2026 17:45:47 +0300	[thread overview]
Message-ID: <7f2d51d75ff70c1d2f46658d162c54d0bbe46da7@intel.com> (raw)
In-Reply-To: <20260610143258.324C21F00893@smtp.kernel.org>

On Wed, 10 Jun 2026, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] Missing payload size validation in `drm_parse_tiled_block` allows an out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled display blocks.
> --
>
> commit 3a0b5d7c7c564335f99c7d692448de9241f67bbd
> Author: Jani Nikula <jani.nikula@intel.com>
>
> drm/displayid: fix Tiled Display Topology ID size
>
> This commit updates the Tiled Display Topology ID size from 8 to 9 bytes
> in the DRM subsystem structures.
>
>> diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
>> index 3fa4d2082cd72..11646453aaac9 100644
>> --- a/drivers/gpu/drm/drm_connector.c
>> +++ b/drivers/gpu/drm/drm_connector.c
> [ ... ]
>> @@ -3579,14 +3579,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
>>   * tile group or NULL if not found.
>>   */
>>  struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
>> -					       const char topology[8])
>> +					       const char topology_id[9])
>>  {
>>  	struct drm_tile_group *tg;
>>  	int id;
>>  
>>  	mutex_lock(&dev->mode_config.idr_mutex);
>>  	idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) {
>> -		if (!memcmp(tg->group_data, topology, 8)) {
>> +		if (!memcmp(tg->group_data, topology_id, sizeof(tg->group_data))) {
>
> [Severity: High]
> This isn't a bug introduced by this patch, but could this lead to an
> out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled
> display blocks?
>
> Looking at drm_parse_tiled_block() in drivers/gpu/drm/drm_edid.c, the generic
> block is cast to a displayid_tiled_block without validating that the payload
> size (block->num_bytes) is large enough:
>
> drivers/gpu/drm/drm_edid.c:drm_parse_tiled_block() {
>     ...
>     const struct displayid_tiled_block *tile =
>         (struct displayid_tiled_block *)block;
>     ...
>     tg = drm_mode_get_tile_group(connector->dev, tile->topology_id);
> }
>
> If a malformed EDID provides a tiled block with a short length near the end
> of the allocated EDID buffer, comparing 9 bytes here (or copying them down in
> drm_mode_create_tile_group()) might read past the bounds of the EDID buffer.

Yeah, maybe you should start reading the mailing list [1]. This patch is
in response to the fix for that very issue.

BR,
Jani.


[1] https://lore.kernel.org/r/4e784cad86c91595b6d5da64ca854dab38357658@intel.com



-- 
Jani Nikula, Intel

next prev parent reply	other threads:[~2026-06-10 14:45 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10 14:15 [PATCH] drm/displayid: fix Tiled Display Topology ID size Jani Nikula
2026-06-10 14:24 ` ✓ CI.KUnit: success for " Patchwork
2026-06-10 14:32 ` [PATCH] " sashiko-bot
2026-06-10 14:45   ` Jani Nikula [this message]
2026-06-10 15:03 ` ✓ Xe.CI.BAT: success for " Patchwork
2026-06-10 15:11 ` ✓ i915.CI.BAT: " Patchwork
2026-06-10 19:21 ` ✓ Xe.CI.FULL: " Patchwork
2026-06-10 21:10 ` [PATCH] " David Airlie
2026-06-15 11:14   ` Jani Nikula
2026-06-11  6:09 ` ✗ i915.CI.Full: failure for " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7f2d51d75ff70c1d2f46658d162c54d0bbe46da7@intel.com \
    --to=jani.nikula@intel.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.