From: Harry Wentland <harry.wentland@amd.com>
To: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>,
amd-gfx@lists.freedesktop.org
Cc: tdwilliamsiv@gmail.com, alexdeucher@gmail.com,
Patrik Jakobsson <pjakobsson@suse.de>
Subject: Re: [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
Date: Wed, 27 Oct 2021 10:24:23 -0400 [thread overview]
Message-ID: <89947fca-468c-232c-fe73-dddab2fbfdf7@amd.com> (raw)
In-Reply-To: <c0744024-bd4c-3849-d218-053377c28b44@amd.com>
On 2021-10-27 09:47, Harry Wentland wrote:
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
>> CVE-2021-42327 was fixed by:
>>
>> commit f23750b5b3d98653b31d4469592935ef6364ad67
>> Author: Thelford Williams <tdwilliamsiv@gmail.com>
>> Date: Wed Oct 13 16:04:13 2021 -0400
>>
>> drm/amdgpu: fix out of bounds write
>>
>> but amdgpu_dm_debugfs.c contains more of the same issue so fix the
>> remaining ones.
>>
>> Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
>> Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
>> ---
>> .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
>> 1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 1a68a674913c..33bdf15febc6 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> ¶m, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>>
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
>
This patch is
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
I'll send a follow-up for dp_max_bpc_write.
Harry
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993>>
> Harry
>
next prev parent reply other threads:[~2021-10-27 14:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 13:03 [PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs Patrik Jakobsson
2021-10-27 13:47 ` Harry Wentland
2021-10-27 14:24 ` Harry Wentland [this message]
2021-10-27 14:26 ` Patrik Jakobsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89947fca-468c-232c-fe73-dddab2fbfdf7@amd.com \
--to=harry.wentland@amd.com \
--cc=alexdeucher@gmail.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=patrik.r.jakobsson@gmail.com \
--cc=pjakobsson@suse.de \
--cc=tdwilliamsiv@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.