All of lore.kernel.org
 help / color / mirror / Atom feed
From: bugzilla-daemon@freedesktop.org
To: dri-devel@lists.freedesktop.org
Subject: [Bug 108609] vegam_smumgr.c: accessing mvdd_voltage_table.entries[] array out of bounds in function vegam_populate_smc_mvdd_table
Date: Wed, 31 Oct 2018 06:55:41 +0000	[thread overview]
Message-ID: <bug-108609-502@http.bugs.freedesktop.org/> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 4002 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=108609

            Bug ID: 108609
           Summary: vegam_smumgr.c: accessing mvdd_voltage_table.entries[]
                    array out of bounds in function
                    vegam_populate_smc_mvdd_table
           Product: DRI
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: DRM/AMDgpu
          Assignee: dri-devel@lists.freedesktop.org
          Reporter: rstrube@gmail.com

Created attachment 142298
  --> https://bugs.freedesktop.org/attachment.cgi?id=142298&action=edit
Patch to fix accessing mvdd_voltage_table.entries[] array out of bounds in
vegam_smumgr.c

I believe I've discovered a small bug in the vegam_smumgr.c, specifically the
following function:

static int vegam_populate_smc_mvdd_table(struct pp_hwmgr *hwmgr,
                        SMU75_Discrete_DpmTable *table)
{
        struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
        uint32_t count, level;

        if (SMU7_VOLTAGE_CONTROL_BY_GPIO == data->mvdd_control) {
                count = data->mvdd_voltage_table.count;
                if (count > SMU_MAX_SMIO_LEVELS)
                        count = SMU_MAX_SMIO_LEVELS;
                for (level = 0; level < count; level++) {
                        table->SmioTable2.Pattern[level].Voltage =
PP_HOST_TO_SMC_US(
                                       
data->mvdd_voltage_table.entries[count].value * VOLTAGE_SCALE);
                        /* Index into DpmTable.Smio. Drive bits from Smio entry
to get this voltage level.*/
                        table->SmioTable2.Pattern[level].Smio =
                                (uint8_t) level;
                        table->Smio[level] |=
                               
data->mvdd_voltage_table.entries[level].smio_low;
                }
                table->SmioMask2 = data->mvdd_voltage_table.mask_low;

                table->MvddLevelCount = (uint32_t) PP_HOST_TO_SMC_UL(count);
        }

        return 0;
}

With the lines (within the for loop):

table->SmioTable2.Pattern[level].Voltage = PP_HOST_TO_SMC_US(
                data->mvdd_voltage_table.entries[count].value * VOLTAGE_SCALE);

If this code was executed it would try to access the
mvdd_voltage_table.entries[] array out of bounds, because count > than the max
value for level.

I believe:

data->mvdd_voltage_table.entries[count].value

should actually be:

data->mvdd_voltage_table.entries[level].value

You can see in a similar function within vegam_smumgr.c, this bug is *not*
present:

static int vegam_populate_smc_vddci_table(struct pp_hwmgr *hwmgr,
                                        struct SMU75_Discrete_DpmTable *table)
{
        uint32_t count, level;
        struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);

        count = data->vddci_voltage_table.count;

        if (SMU7_VOLTAGE_CONTROL_BY_GPIO == data->vddci_control) {
                if (count > SMU_MAX_SMIO_LEVELS)
                        count = SMU_MAX_SMIO_LEVELS;
                for (level = 0; level < count; ++level) {
                        table->SmioTable1.Pattern[level].Voltage =
PP_HOST_TO_SMC_US(
                                       
data->vddci_voltage_table.entries[level].value * VOLTAGE_SCALE);
                        table->SmioTable1.Pattern[level].Smio = (uint8_t)
level;

                        table->Smio[level] |=
data->vddci_voltage_table.entries[level].smio_low;
                }
        }

        table->SmioMask1 = data->vddci_voltage_table.mask_low;

        return 0;
}

I've attached a patch for kernel 4.19, admittedly the change is trivial but I
figured I would try to do things the right way :)

Thanks!
Rob

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 5770 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

             reply	other threads:[~2018-10-31  6:55 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-31  6:55 bugzilla-daemon [this message]
2018-10-31  8:47 ` [Bug 108609] vegam_smumgr.c: accessing mvdd_voltage_table.entries[] array out of bounds in function vegam_populate_smc_mvdd_table bugzilla-daemon
2018-10-31 22:59 ` bugzilla-daemon
2018-11-01  1:56 ` bugzilla-daemon
2019-11-19  9:01 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-108609-502@http.bugs.freedesktop.org/ \
    --to=bugzilla-daemon@freedesktop.org \
    --cc=dri-devel@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.