From: sashiko-bot@kernel.org
To: "Thomas Zimmermann" <tzimmermann@suse.de>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v3 1/7] drm/sysfb: simpledrm: Improve framebuffer-size validation
Date: Thu, 25 Jun 2026 10:05:12 +0000 [thread overview]
Message-ID: <20260625100513.534941F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260625094509.157581-2-tzimmermann@suse.de>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing validation for device tree provided `stride` against `width * bpp` allows out-of-bounds memory writes.
--
commit daaa8ad78a371c66bd2324aa7a47d551084fe671
Author: Thomas Zimmermann <tzimmermann@suse.de>
drm/sysfb: simpledrm: Improve framebuffer-size validation
This commit validates the framebuffer dimensions provided by firmware against
the 16-bit limits of struct drm_display_mode, failing the probe on errors.
Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
Cc: <stable@vger.kernel.org> # v5.14+
[ ... ]
> @@ -144,7 +137,7 @@ simplefb_get_width_of(struct drm_device *dev, struct device_node *of_node)
>
> if (ret)
> return ret;
> - return simplefb_get_validated_int0(dev, "width", width);
> + return drm_sysfb_get_validated_int0(dev, "width", width, U16_MAX);
> }
>
> static int
> @@ -155,7 +148,7 @@ simplefb_get_height_of(struct drm_device *dev, struct device_node *of_node)
>
> if (ret)
> return ret;
> - return simplefb_get_validated_int0(dev, "height", height);
> + return drm_sysfb_get_validated_int0(dev, "height", height, U16_MAX);
> }
[Severity: High]
This is a pre-existing issue, but does this code need to ensure a provided
stride is at least large enough for the given width and pixel format?
In simpledrm_device_create(), if the device tree or platform data provides a
non-zero stride, it bypasses the minimum pitch calculation:
if (!stride) {
u64 pitch = drm_format_info_min_pitch(format, 0, width);
...
stride = pitch;
}
The driver then calculates the required size using this stride:
if (check_mul_overflow(height, stride, &size)) {
...
if (size > resource_size(mem)) {
If firmware provides a small but non-zero stride (for example, 1), the size
calculation yields a small value, which easily passes the resource size check.
However, rendering and clearing operations write width * bpp bytes per line.
For example, in drm_sysfb_plane_helper_atomic_disable():
for (i = 0; i < lines; ++i) {
memset_io(dst_vmap, 0, linepixels * dst_format->cpp[0]);
dst_vmap += dst_pitch;
}
Can this lead to out-of-bounds memory writes if the firmware provides a stride
that is smaller than width * bpp?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625094509.157581-1-tzimmermann@suse.de?part=1
next prev parent reply other threads:[~2026-06-25 10:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 9:39 [PATCH v3 0/7] drm/sysfb: simpledrm: Various improvements Thomas Zimmermann
2026-06-25 9:39 ` [PATCH v3 1/7] drm/sysfb: simpledrm: Improve framebuffer-size validation Thomas Zimmermann
2026-06-25 10:05 ` sashiko-bot [this message]
2026-06-25 9:39 ` [PATCH v3 2/7] drm/sysfb: simpledrm: Improve panel-size validation Thomas Zimmermann
2026-06-25 9:39 ` [PATCH v3 3/7] drm/sysfb: simpledrm: Inline simplefb_get_validated_int() Thomas Zimmermann
2026-06-25 9:39 ` [PATCH v3 4/7] drm/sysfb: simpledrm: Improve stride validation Thomas Zimmermann
2026-06-25 9:39 ` [PATCH v3 5/7] drm/sysfb: simpledrm: Validate mmap size against framebuffer size Thomas Zimmermann
2026-06-25 10:27 ` sashiko-bot
2026-06-25 9:39 ` [PATCH v3 6/7] drm/of: Implement drm_of_get_panel_orientation() Thomas Zimmermann
2026-06-29 12:27 ` Thierry Reding
2026-06-29 12:44 ` Thomas Zimmermann
2026-06-29 13:19 ` Thierry Reding
2026-06-29 13:29 ` Thierry Reding
2026-06-29 12:28 ` Thierry Reding
2026-06-25 9:39 ` [PATCH v3 7/7] drm/sysfb: simpledrm: Read panel orientation from DT node Thomas Zimmermann
2026-06-29 12:27 ` Thierry Reding
2026-06-25 10:56 ` [PATCH v3 0/7] drm/sysfb: simpledrm: Various improvements Maxime Ripard
2026-06-29 11:02 ` Javier Martinez Canillas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625100513.534941F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox