Re: [PATCH v2] drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Doug Anderson <dianders@chromium.org>
Cc: dri-devel <dri-devel@lists.freedesktop.org>,
	"Siqueira, Rodrigo" <Rodrigo.Siqueira@amd.com>,
	"Zuo, Jerry" <Jerry.Zuo@amd.com>,
	alexander.deucher@amd.com, "Wentland,
	Harry" <Harry.Wentland@amd.com>,
	Kuogee Hsieh <khsieh@codeaurora.org>,
	Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Maxime Ripard <mripard@kernel.org>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read
Date: Thu, 7 Oct 2021 02:00:09 +0300	[thread overview]
Message-ID: <YV4qeRtJoJW+W2at@intel.com> (raw)
In-Reply-To: <CAD=FV=XP6TFVn=uxRYr0fXzK9s-uh=a06kZBA5Y6Sj99OCeCXQ@mail.gmail.com>

On Wed, Oct 06, 2021 at 03:45:07PM -0700, Doug Anderson wrote:
> Hi,
> 
> On Tue, Oct 5, 2021 at 7:29 PM Douglas Anderson <dianders@chromium.org> wrote:
> >
> > In commit e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid
> > corruption test") the function connector_bad_edid() started assuming
> > that the memory for the EDID passed to it was big enough to hold
> > `edid[0x7e] + 1` blocks of data (1 extra for the base block). It
> > completely ignored the fact that the function was passed `num_blocks`
> > which indicated how much memory had been allocated for the EDID.
> >
> > Let's fix this by adding a bounds check.
> >
> > This is important for handling the case where there's an error in the
> > first block of the EDID. In that case we will call
> > connector_bad_edid() without having re-allocated memory based on
> > `edid[0x7e]`.
> >
> > Fixes: e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid corruption test")
> > Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > Signed-off-by: Douglas Anderson <dianders@chromium.org>
> > Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > ---
> > This problem report came up in the context of a patch I sent out [1]
> > and this is my attempt at a fix. The problem predates my patch,
> > though. I don't personally know anything about DP compliance testing
> > and what should be happening here, nor do I apparently have any
> > hardware that actually reports a bad EDID. Thus this is just compile
> > tested. I'm hoping that someone here can test this and make sure it
> > seems OK to them.
> >
> > Changes in v2:
> > - Added a comment/changed math to help make it easier to grok.
> >
> >  drivers/gpu/drm/drm_edid.c | 15 ++++++++++++---
> >  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> Pushed this to drm-misc-fixes since the commit it fixes is fairly old.
> 
> fdc21c35aaa1 drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read

BTW seems kasan caught this for us [1]. I didn't notice we had a bug
open about it until now. Just Chris Wilson mentioned it to me in passing
quite a while ago, and I totally forgot about it until I saw your other
patch poking around the same code.

[1] https://gitlab.freedesktop.org/drm/intel/-/issues/4106

-- 
Ville Syrjälä
Intel

     prev parent reply	other threads:[~2021-10-06 23:00 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-06  2:29 [PATCH v2] drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read Douglas Anderson
2021-10-06 22:45 ` Doug Anderson
2021-10-06 23:00   ` Ville Syrjälä [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YV4qeRtJoJW+W2at@intel.com \
    --to=ville.syrjala@linux.intel.com \
    --cc=Harry.Wentland@amd.com \
    --cc=Jerry.Zuo@amd.com \
    --cc=Rodrigo.Siqueira@amd.com \
    --cc=airlied@linux.ie \
    --cc=alexander.deucher@amd.com \
    --cc=daniel@ffwll.ch \
    --cc=dianders@chromium.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=khsieh@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maarten.lankhorst@linux.intel.com \
    --cc=mripard@kernel.org \
    --cc=tzimmermann@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.