From: Danilo Krummrich <dakr@redhat.com>
To: Mikhail Kobuk <m.kobuk@ispras.ru>, Danilo Krummrich <me@dakr.org>,
Lyude Paul <lyude@redhat.com>, Karol Herbst <kherbst@redhat.com>
Cc: David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
Francisco Jerez <currojerez@riseup.net>,
dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org,
Fedor Pchelkin <pchelkin@ispras.ru>,
Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
Date: Wed, 10 Apr 2024 18:24:20 +0200 [thread overview]
Message-ID: <cd044176-ebd3-4fd8-94ca-6630cd3211a8@redhat.com> (raw)
In-Reply-To: <624ee851-162b-4490-8444-0d9e06b5863b@ispras.ru>
On 4/10/24 17:39, Mikhail Kobuk wrote:
> On 08/04/2024 16:23, Danilo Krummrich wrote:
>> On 4/5/24 22:05, Lyude Paul wrote:
>>> On Fri, 2024-04-05 at 17:53 +0200, Danilo Krummrich wrote:
>>>> On 3/31/24 08:45, Mikhail Kobuk wrote:
>>>>> Output Resource (dcb->or) value is not guaranteed to be non-zero
>>>>> (i.e.
>>>>> in drivers/gpu/drm/nouveau/nouveau_bios.c, in
>>>>> 'fabricate_dcb_encoder_table()'
>>>>> 'dcb->or' is assigned value '0' in call to
>>>>> 'fabricate_dcb_output()').
>>>>
>>>> I don't really know much about the semantics of this code.
>>>>
>>>> Looking at fabricate_dcb_output() though I wonder if the intention
>>>> was to assign
>>>> BIT(or) to entry->or.
>>>>
>>>> @Lyude, can you help here?
>>>
>>> This code is definitely a bit before my time as well - but I think
>>> you're completely correct. Especially considering this bit I found in
>>> nouveau_bios.h:
>>
>> Thanks for confirming.
>>
>> @Mikhail, I think we should rather fix this assignment then.
>
> Thank you all for a thorough look!
>
>>
>> - Danilo
>>
>>>
>>> enum nouveau_or {
>>> DCB_OUTPUT_A = (1 << 0),
>>> DCB_OUTPUT_B = (1 << 1),
>>> DCB_OUTPUT_C = (1 << 2)
>>> };
>>>
>>>
>
> Considering this code bit, and the fact that fabricate_dcb_output() is called in drivers/gpu/drm/nouveau/nouveau_bios.c only, there's option to adjust function calls instead of adding BIT(or), i.e.:
>
> fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, DCB_OUTPUT_B);
>
> instead of current:
>
> fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, 1);
>
> and etc.
>
> Should I make a new patch with adjusted calls or stick with BIT(or)?
Please send a new patch adjusting the calls using enum nouveau_or, that
seems to be cleaner.
- Danilo
>
>>>>
>>>> Otherwise, for parsing the DCB entries, it seems that the bound
>>>> checks are
>>>> happening in olddcb_outp_foreach() [1].
>>>>
>>>> [1]
>>>> https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
>>>>
>>>>>
>>>>> Add check to validate 'dcb->or' before it's used.
>>>>>
>>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>>>>
>>>>> Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for
>>>>> iMac G4")
>>>>> Signed-off-by: Mikhail Kobuk <m.kobuk@ispras.ru>
>>>>> ---
>>>>> drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
>>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
>>>>> b/drivers/gpu/drm/nouveau/dispnv04/dac.c
>>>>> index d6b8e0cce2ac..0c8d4fc95ff3 100644
>>>>> --- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
>>>>> +++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
>>>>> @@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder
>>>>> *encoder, bool enable)
>>>>> struct drm_device *dev = encoder->dev;
>>>>> struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
>>>>> - if (nv_gf4_disp_arch(dev)) {
>>>>> + if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
>>>>> uint32_t *dac_users = &nv04_display(dev)-
>>>>>> dac_users[ffs(dcb->or) - 1];
>>>>> int dacclk_off = NV_PRAMDAC_DACCLK +
>>>>> nv04_dac_output_offset(encoder);
>>>>> uint32_t dacclk = NVReadRAMDAC(dev, 0,
>>>>> dacclk_off);
>>>>> @@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder
>>>>> *encoder)
>>>>> struct drm_device *dev = encoder->dev;
>>>>> struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
>>>>> - return nv_gf4_disp_arch(encoder->dev) &&
>>>>> + return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
>>>>> (nv04_display(dev)->dac_users[ffs(dcb->or) - 1] &
>>>>> ~(1 << dcb->index));
>>>>> }
>>>>
>>>
>
prev parent reply other threads:[~2024-04-10 16:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-31 6:45 [PATCH] drm: nv04: Add check to avoid out of bounds access Mikhail Kobuk
2024-04-05 15:53 ` Danilo Krummrich
2024-04-05 20:05 ` Lyude Paul
2024-04-08 13:23 ` Danilo Krummrich
2024-04-10 15:39 ` Mikhail Kobuk
2024-04-10 16:24 ` Danilo Krummrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd044176-ebd3-4fd8-94ca-6630cd3211a8@redhat.com \
--to=dakr@redhat.com \
--cc=airlied@gmail.com \
--cc=currojerez@riseup.net \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=kherbst@redhat.com \
--cc=khoroshilov@ispras.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=lyude@redhat.com \
--cc=m.kobuk@ispras.ru \
--cc=me@dakr.org \
--cc=nouveau@lists.freedesktop.org \
--cc=pchelkin@ispras.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox