From mboxrd@z Thu Jan 1 00:00:00 1970 From: Hanno =?UTF-8?B?QsO2Y2s=?= Subject: Error in inner loop in validate_cmds_sorted / out of bounds issue Date: Sat, 25 Jul 2015 18:56:20 -0700 Message-ID: <20150725185620.6c22c90a@pc1> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1175718402==" Return-path: Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) by gabe.freedesktop.org (Postfix) with ESMTPS id AC1BB6E65D for ; Sat, 25 Jul 2015 19:01:23 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" To: intel-gfx@lists.freedesktop.org List-Id: intel-gfx@lists.freedesktop.org This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --===============1175718402== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-29773-1437875777-0001-2" This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_zucker.schokokeks.org-29773-1437875777-0001-2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, I was trying to track down an out of bounds read issue in the intel drm driver that got reported by kasan. It happens in the function validate_cmds_sorted (i915_cmd_parser.c), where there are two nested loops, this is the relevant code part: for (i =3D 0; i < cmd_table_count; i++) { const struct drm_i915_cmd_table *table =3D &cmd_tables[i]; u32 previous =3D 0; int j; for (j =3D 0; j < table->count; j++) { const struct drm_i915_cmd_descriptor *desc =3D &table->table[i]; Now that &table->table[i] should probably really be &table->table[j], because that's the counter variable of the inner loop. Otherwise it doesn't make any sense (the inner loop would just repeat doing the same thing multiple times). However if I try to change [i] to [j] here my system doesn't boot any more, I just get a black screen. So I assume this bug is somehow hiding another more severe bug. cu, --=20 Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --=_zucker.schokokeks.org-29773-1437875777-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJVtD5EAAoJEKWIAHK7tR5Cpi8P/AmtxfZ4FJ8SX6+Mrwu0KlxM MyS0REtmsuMmgNIKmoG5VxSyftS8WGyuTMoNhcCksQnmUmtx8As0fAJU/yPJewvy n0rffCPTVwSlmySR/Z4jCmlNqkmwlmSzPMQrsn3MI7j8yyn40yZ7ImU3J/ScZPgn G9IY64pfC07AaLnYwcFtkzlRxicrtwurXCu6LIHHlqqQEyyu9edqtj0uVkbqf+Ze YG5MNs1BCl6ITHaE0jtH4gxZpXA54DuBQ5xshvJlZ4bGQ3XCXDNS26WQxjkABD3l +hvaEZADJ2lFxj8P83gtNiK2bqfTploN6Zh/mr8Yrcf7UmlJI4vA/17VDlvokVm4 bXwUG0LYsQK2IZ6TfBYrXzGFgAwrWrhJEDZe1d/KUUr4HztIJ4wywmYhrIiCBDKi wvAvhW6lgK1JZTgHt4N2Hpeb0seIJ/1bT0NMo0SEKyHf5AT2h7wDTZv3W9jWEEy7 iuo7gKvh5MLNYSZ9rEuUfjWu1gKG9SljLp2d9YDNbGIuomiIGb9Iu3ZY3rlEwn7h Vf5BfD6rQ+obc4O/CM0HEwIAoLGdxjo2oUurmUTBisD3V1XWKC4PCQjMc5Fsn5C2 QEIyxHOUg/5dr1QXCEvcmfGf45yKGPbSu0MqvedFbrkH7YI8UOC2u6GFlYEWMTIL X8+uZzx8KcDmFXKtxGTV =WiGo -----END PGP SIGNATURE----- --=_zucker.schokokeks.org-29773-1437875777-0001-2-- --===============1175718402== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KSW50ZWwtZ2Z4 IG1haWxpbmcgbGlzdApJbnRlbC1nZnhAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0 cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9pbnRlbC1nZngK --===============1175718402==--