* [Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer
@ 2022-06-28 13:13 Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf Matthew Auld
0 siblings, 2 replies; 4+ messages in thread
From: Matthew Auld @ 2022-06-28 13:13 UTC (permalink / raw)
To: igt-dev; +Cc: intel-gfx
It looks like the linkto is out of scope:
../lib/igt_device_scan.c: In function ‘igt_device_add_attr’:
../lib/igt_device_scan.c:368:57: warning: dangling pointer ‘v’ to ‘linkto’ may be used [-Wdangling-pointer=]
368 | g_hash_table_insert(dev->attrs_ht, strdup(key), strdup(v));
| ^~~~~~~~~
../lib/igt_device_scan.c:351:22: note: ‘linkto’ declared here
351 | char linkto[PATH_MAX];
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
lib/igt_device_scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/igt_device_scan.c b/lib/igt_device_scan.c
index a1cee7a4..5d1d4258 100644
--- a/lib/igt_device_scan.c
+++ b/lib/igt_device_scan.c
@@ -338,6 +338,7 @@ static void igt_device_add_attr(struct igt_device *dev,
const char *key, const char *value)
{
const char *v = value;
+ char linkto[PATH_MAX];
if (!key)
return;
@@ -348,7 +349,6 @@ static void igt_device_add_attr(struct igt_device *dev,
if (!v) {
struct stat st;
char path[PATH_MAX];
- char linkto[PATH_MAX];
int len;
snprintf(path, sizeof(path), "%s/%s", dev->syspath, key);
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Intel-gfx] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning
2022-06-28 13:13 [Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer Matthew Auld
@ 2022-06-28 13:13 ` Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf Matthew Auld
1 sibling, 0 replies; 4+ messages in thread
From: Matthew Auld @ 2022-06-28 13:13 UTC (permalink / raw)
To: igt-dev; +Cc: intel-gfx
Looks reasonable to just increase the size of 'name' to avoid the
potential truncation:
../tests/kms_cursor_crc.c: In function ‘run_size_tests.constprop’:
../tests/kms_cursor_crc.c:699:50: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 4 and 14 [-Wformat-truncation=]
699 | snprintf(name, sizeof(name), "%dx%d", w, h);
| ^~
../tests/kms_cursor_crc.c:699:46: note: directive argument in the range [-2147483648, 1024]
699 | snprintf(name, sizeof(name), "%dx%d", w, h);
| ^~~~~~~
In file included from /usr/include/stdio.h:894,
from ../lib/igt_core.h:38,
from ../lib/drmtest.h:39,
from ../lib/igt.h:27,
from ../tests/kms_cursor_crc.c:25:
In function ‘snprintf’,
inlined from ‘run_size_tests.constprop’ at ../tests/kms_cursor_crc.c:699:3:
/usr/include/bits/stdio2.h:71:10: note: ‘__builtin___snprintf_chk’ output between 4 and 24 bytes into a destination of size 16
71 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
73 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
tests/kms_cursor_crc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/kms_cursor_crc.c b/tests/kms_cursor_crc.c
index 513c9715..131fdb0a 100644
--- a/tests/kms_cursor_crc.c
+++ b/tests/kms_cursor_crc.c
@@ -691,7 +691,7 @@ static void test_rapid_movement(data_t *data)
static void run_size_tests(data_t *data, enum pipe pipe,
int w, int h)
{
- char name[16];
+ char name[32];
if (w == 0 && h == 0)
strcpy(name, "max-size");
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf
2022-06-28 13:13 [Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning Matthew Auld
@ 2022-06-28 13:13 ` Matthew Auld
2022-06-29 8:55 ` Gwan-gyeong Mun
1 sibling, 1 reply; 4+ messages in thread
From: Matthew Auld @ 2022-06-28 13:13 UTC (permalink / raw)
To: igt-dev; +Cc: intel-gfx
../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
201 | r = amdgpu_cs_ctx_free(ring_context->context_handle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
199 | free(ring_context);
| ^~~~~~~~~~~~~~~~~~
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
lib/amdgpu/amd_command_submission.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
index 4dc4df95..16939653 100644
--- a/lib/amdgpu/amd_command_submission.c
+++ b/lib/amdgpu/amd_command_submission.c
@@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
}
/* clean resources */
free(ring_context->pm4);
- free(ring_context);
/* end of test */
r = amdgpu_cs_ctx_free(ring_context->context_handle);
igt_assert_eq(r, 0);
+ free(ring_context);
}
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf Matthew Auld
@ 2022-06-29 8:55 ` Gwan-gyeong Mun
0 siblings, 0 replies; 4+ messages in thread
From: Gwan-gyeong Mun @ 2022-06-29 8:55 UTC (permalink / raw)
To: Matthew Auld, igt-dev; +Cc: intel-gfx
Looks good to me.
Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
On 6/28/22 4:13 PM, Matthew Auld wrote:
> ../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
> ../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
> 201 | r = amdgpu_cs_ctx_free(ring_context->context_handle);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
> 199 | free(ring_context);
> | ^~~~~~~~~~~~~~~~~~
>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Petri Latvala <petri.latvala@intel.com>
> ---
> lib/amdgpu/amd_command_submission.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
> index 4dc4df95..16939653 100644
> --- a/lib/amdgpu/amd_command_submission.c
> +++ b/lib/amdgpu/amd_command_submission.c
> @@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
> }
> /* clean resources */
> free(ring_context->pm4);
> - free(ring_context);
> /* end of test */
> r = amdgpu_cs_ctx_free(ring_context->context_handle);
> igt_assert_eq(r, 0);
> + free(ring_context);
> }
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-29 8:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-28 13:13 [Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning Matthew Auld
2022-06-28 13:13 ` [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf Matthew Auld
2022-06-29 8:55 ` Gwan-gyeong Mun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox