From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hersen Wu <hersenxs.wu@amd.com>, Alex Hung <alex.hung@amd.com>,
Tom Chung <chiahsuan.chung@amd.com>,
Daniel Wheeler <daniel.wheeler@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>,
harry.wentland@amd.com, sunpeng.li@amd.com,
Rodrigo.Siqueira@amd.com, christian.koenig@amd.com,
Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch,
jiapeng.chong@linux.alibaba.com, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 07/38] drm/amd/display: Add array index check for hdcp ddc access
Date: Wed, 31 Jul 2024 20:35:13 -0400 [thread overview]
Message-ID: <20240801003643.3938534-7-sashal@kernel.org> (raw)
In-Reply-To: <20240801003643.3938534-1-sashal@kernel.org>
From: Hersen Wu <hersenxs.wu@amd.com>
[ Upstream commit 4e70c0f5251c25885c31ee84a31f99a01f7cf50e ]
[Why]
Coverity reports OVERRUN warning. Do not check if array
index valid.
[How]
Check msg_id valid and valid array index.
Reviewed-by: Alex Hung <alex.hung@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/display/modules/hdcp/hdcp_ddc.c | 28 ++++++++++++++++---
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
index 8e9caae7c9559..1b2df97226a3f 100644
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
@@ -156,11 +156,16 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
uint32_t cur_size = 0;
uint32_t data_offset = 0;
- if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||
+ msg_id >= MOD_HDCP_MESSAGE_ID_MAX)
return MOD_HDCP_STATUS_DDC_FAILURE;
- }
if (is_dp_hdcp(hdcp)) {
+ int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /
+ sizeof(hdcp_dpcd_addrs[0]);
+ if (msg_id >= num_dpcd_addrs)
+ return MOD_HDCP_STATUS_DDC_FAILURE;
+
while (buf_len > 0) {
cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
success = hdcp->config.ddc.funcs.read_dpcd(hdcp->config.ddc.handle,
@@ -175,6 +180,11 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
data_offset += cur_size;
}
} else {
+ int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /
+ sizeof(hdcp_i2c_offsets[0]);
+ if (msg_id >= num_i2c_offsets)
+ return MOD_HDCP_STATUS_DDC_FAILURE;
+
success = hdcp->config.ddc.funcs.read_i2c(
hdcp->config.ddc.handle,
HDCP_I2C_ADDR,
@@ -219,11 +229,16 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
uint32_t cur_size = 0;
uint32_t data_offset = 0;
- if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||
+ msg_id >= MOD_HDCP_MESSAGE_ID_MAX)
return MOD_HDCP_STATUS_DDC_FAILURE;
- }
if (is_dp_hdcp(hdcp)) {
+ int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /
+ sizeof(hdcp_dpcd_addrs[0]);
+ if (msg_id >= num_dpcd_addrs)
+ return MOD_HDCP_STATUS_DDC_FAILURE;
+
while (buf_len > 0) {
cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
success = hdcp->config.ddc.funcs.write_dpcd(
@@ -239,6 +254,11 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
data_offset += cur_size;
}
} else {
+ int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /
+ sizeof(hdcp_i2c_offsets[0]);
+ if (msg_id >= num_i2c_offsets)
+ return MOD_HDCP_STATUS_DDC_FAILURE;
+
hdcp->buf[0] = hdcp_i2c_offsets[msg_id];
memmove(&hdcp->buf[1], buf, buf_len);
success = hdcp->config.ddc.funcs.write_i2c(
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:37 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:35 [PATCH AUTOSEL 5.10 01/38] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 02/38] drm/amd/pm: fix warning using uninitialized value of max_vid_step Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 03/38] drm/amd/pm: fix the Out-of-bounds read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 04/38] drm/amdgpu: fix uninitialized scalar variable warning Sasha Levin
2024-08-22 11:00 ` Pavel Machek
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 05/38] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 06/38] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
2024-08-01 0:35 ` Sasha Levin [this message]
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 08/38] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 09/38] drm/amd/display: Check msg_id before processing transcation Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 10/38] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 11/38] drm/amdgpu: Fix out-of-bounds write warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 12/38] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 13/38] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 14/38] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 15/38] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 16/38] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 17/38] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 18/38] bpf, net: Use DEV_STAT_INC() Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 19/38] PCI: al: Check IORESOURCE_BUS existence during probe Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 20/38] hwspinlock: Introduce hwspin_lock_bust() Sasha Levin
2024-08-27 12:25 ` Pavel Machek
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 21/38] gpiolib: cdev: Add INIT_KFIFO() for linereq events Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 22/38] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 23/38] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 24/38] drm/amd/display: added NULL check at start of dc_validate_stream Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 25/38] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 26/38] ALSA: vmaster: Return error for invalid input values Sasha Levin
2024-08-27 12:26 ` Pavel Machek
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 27/38] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 28/38] udf: Avoid excessive partition lengths Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 29/38] riscv: mm: Take memory hotplug read-lock during kernel page table dump Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 30/38] usb: uas: set host status byte on data completion error Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 31/38] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 32/38] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 33/38] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 34/38] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 35/38] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 36/38] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 37/38] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 38/38] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801003643.3938534-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Rodrigo.Siqueira@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=alex.hung@amd.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=chiahsuan.chung@amd.com \
--cc=christian.koenig@amd.com \
--cc=daniel.wheeler@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=hersenxs.wu@amd.com \
--cc=jiapeng.chong@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunpeng.li@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox