dri-devel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Thomas Zimmermann" <tzimmermann@suse.de>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v3 1/7] drm/sysfb: simpledrm: Improve framebuffer-size validation
Date: Thu, 25 Jun 2026 10:05:12 +0000	[thread overview]
Message-ID: <20260625100513.534941F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260625094509.157581-2-tzimmermann@suse.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing validation for device tree provided `stride` against `width * bpp` allows out-of-bounds memory writes.
--

commit daaa8ad78a371c66bd2324aa7a47d551084fe671
Author: Thomas Zimmermann <tzimmermann@suse.de>
drm/sysfb: simpledrm: Improve framebuffer-size validation

This commit validates the framebuffer dimensions provided by firmware against
the 16-bit limits of struct drm_display_mode, failing the probe on errors.

Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
Cc: <stable@vger.kernel.org> # v5.14+

[ ... ]
> @@ -144,7 +137,7 @@ simplefb_get_width_of(struct drm_device *dev, struct device_node *of_node)
>  
>  	if (ret)
>  		return ret;
> -	return simplefb_get_validated_int0(dev, "width", width);
> +	return drm_sysfb_get_validated_int0(dev, "width", width, U16_MAX);
>  }
>  
>  static int
> @@ -155,7 +148,7 @@ simplefb_get_height_of(struct drm_device *dev, struct device_node *of_node)
>  
>  	if (ret)
>  		return ret;
> -	return simplefb_get_validated_int0(dev, "height", height);
> +	return drm_sysfb_get_validated_int0(dev, "height", height, U16_MAX);
>  }

[Severity: High]
This is a pre-existing issue, but does this code need to ensure a provided
stride is at least large enough for the given width and pixel format?

In simpledrm_device_create(), if the device tree or platform data provides a
non-zero stride, it bypasses the minimum pitch calculation:

	if (!stride) {
		u64 pitch = drm_format_info_min_pitch(format, 0, width);
		...
		stride = pitch;
	}

The driver then calculates the required size using this stride:

	if (check_mul_overflow(height, stride, &size)) {
		...
		if (size > resource_size(mem)) {

If firmware provides a small but non-zero stride (for example, 1), the size
calculation yields a small value, which easily passes the resource size check.

However, rendering and clearing operations write width * bpp bytes per line.
For example, in drm_sysfb_plane_helper_atomic_disable():

	for (i = 0; i < lines; ++i) {
		memset_io(dst_vmap, 0, linepixels * dst_format->cpp[0]);
		dst_vmap += dst_pitch;
	}

Can this lead to out-of-bounds memory writes if the firmware provides a stride
that is smaller than width * bpp?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625094509.157581-1-tzimmermann@suse.de?part=1

  reply	other threads:[~2026-06-25 10:05 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25  9:39 [PATCH v3 0/7] drm/sysfb: simpledrm: Various improvements Thomas Zimmermann
2026-06-25  9:39 ` [PATCH v3 1/7] drm/sysfb: simpledrm: Improve framebuffer-size validation Thomas Zimmermann
2026-06-25 10:05   ` sashiko-bot [this message]
2026-06-25  9:39 ` [PATCH v3 2/7] drm/sysfb: simpledrm: Improve panel-size validation Thomas Zimmermann
2026-06-25  9:39 ` [PATCH v3 3/7] drm/sysfb: simpledrm: Inline simplefb_get_validated_int() Thomas Zimmermann
2026-06-25  9:39 ` [PATCH v3 4/7] drm/sysfb: simpledrm: Improve stride validation Thomas Zimmermann
2026-06-25  9:39 ` [PATCH v3 5/7] drm/sysfb: simpledrm: Validate mmap size against framebuffer size Thomas Zimmermann
2026-06-25 10:27   ` sashiko-bot
2026-06-25  9:39 ` [PATCH v3 6/7] drm/of: Implement drm_of_get_panel_orientation() Thomas Zimmermann
2026-06-29 12:27   ` Thierry Reding
2026-06-29 12:44     ` Thomas Zimmermann
2026-06-29 13:19       ` Thierry Reding
2026-06-29 13:29       ` Thierry Reding
2026-06-29 12:28   ` Thierry Reding
2026-06-25  9:39 ` [PATCH v3 7/7] drm/sysfb: simpledrm: Read panel orientation from DT node Thomas Zimmermann
2026-06-29 12:27   ` Thierry Reding
2026-06-25 10:56 ` [PATCH v3 0/7] drm/sysfb: simpledrm: Various improvements Maxime Ripard
2026-06-29 11:02 ` Javier Martinez Canillas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260625100513.534941F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=tzimmermann@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox