From: Jani Nikula <jani.nikula@intel.com>
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
intel-gfx@lists.freedesktop.org
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Subject: Re: [Intel-gfx] [PATCH] drm/i915/bios: fix slab-out-of-bounds access
Date: Wed, 22 Dec 2021 10:27:43 +0200 [thread overview]
Message-ID: <87o859yrgg.fsf@intel.com> (raw)
In-Reply-To: <8bcb414a-7f18-a29a-3ccc-07f2143d9aeb@linux.intel.com>
On Tue, 21 Dec 2021, Thomas Hellström <thomas.hellstrom@linux.intel.com> wrote:
> On 12/21/21 14:08, Jani Nikula wrote:
>> If VBT size is not a multiple of 4, the last 4-byte store will be out of
>> bounds of the allocated buffer. Spotted with KASAN. Round up the
>> allocation size.
>>
>> Reported-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>> Fixes: a36e7dc0af1c ("drm/i915/dg1: Read OPROM via SPI controller")
>> Cc: Clint Taylor <clinton.a.taylor@intel.com>
>> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
>> Signed-off-by: Jani Nikula <jani.nikula@intel.com>
>
>
>> ---
>> drivers/gpu/drm/i915/display/intel_bios.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
>> index 76a8f001f4c4..310609d186cd 100644
>> --- a/drivers/gpu/drm/i915/display/intel_bios.c
>> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
>> @@ -2369,7 +2369,7 @@ static struct vbt_header *spi_oprom_get_vbt(struct drm_i915_private *i915)
>> vbt_size = intel_uncore_read(&i915->uncore, PRIMARY_SPI_TRIGGER);
>> vbt_size &= 0xffff;
>>
>> - vbt = kzalloc(vbt_size, GFP_KERNEL);
>> + vbt = kzalloc(roundup(vbt_size, 4), GFP_KERNEL);
>
> Use round_up since a power of 2?
Oh, right, *obviously* the underscored version is for powers of two. :p
v2 sent.
> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Thanks,
Jani.
>
>> if (!vbt)
>> goto err_not_found;
>>
--
Jani Nikula, Intel Open Source Graphics Center
next prev parent reply other threads:[~2021-12-22 8:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-21 13:08 [Intel-gfx] [PATCH] drm/i915/bios: fix slab-out-of-bounds access Jani Nikula
2021-12-21 13:35 ` Thomas Hellström
2021-12-22 8:27 ` Jani Nikula [this message]
2021-12-21 14:31 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
2021-12-21 16:49 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o859yrgg.fsf@intel.com \
--to=jani.nikula@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.