[PATCH] drm/fb-helper: Fix out-of-bounds access

Thomas Zimmermann tzimmermann at suse.de
Thu Jun 30 06:37:28 UTC 2022 

Hi

Am 29.06.22 um 20:17 schrieb Geert Uytterhoeven:
>      Hi Thomas,
> 
> On Tue, 21 Jun 2022, Thomas Zimmermann wrote:
>> Clip memory range to screen-buffer size to avoid out-of-bounds access
>> in fbdev deferred I/O's damage handling.
>>
>> Fbdev's deferred I/O can only track pages. From the range of pages, the
>> damage handler computes the clipping rectangle for the display update.
>> If the fbdev screen buffer ends near the beginning of a page, that page
>> could contain more scanlines. The damage handler would then track these
>> non-existing scanlines as dirty and provoke an out-of-bounds access
>> during the screen update. Hence, clip the maximum memory range to the
>> size of the screen buffer.
>>
>> While at it, rename the variables min/max to min_off/max_off in
>> drm_fb_helper_deferred_io(). This avoids confusion with the macros of
>> the same name.
>>
>> Reported-by: Nuno Gonçalves <nunojpg at gmail.com>
>> Signed-off-by: Thomas Zimmermann <tzimmermann at suse.de>
>> Tested-by: Nuno Gonçalves <nunojpg at gmail.com>
>> Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in 
>> separate helper")
> 
> Thanks for your patch, which is now commit ae25885bdf59fde4
> ("drm/fb-helper: Fix out-of-bounds access") in drm-misc/for-linux-next.
> 
> I had seen the crash before, but thought it was a bug in my wip
> atari-drm driver.  When diving deeper today, and consequently looking
> for recent changes to the damage helper, I found this commit in
> linux-next.
> 
> With your patch instead of my own workaround I used this morning, [1]
> still works fine, so:
> Tested-by: Geert Uytterhoeven <geert at linux-m68k.org>.
> Reviewed-by: Geert Uytterhoeven <geert at linux-m68k.org>.

Great thanks a lot.

BTW, what's the status of the atari-drm driver?

Best regard
Thomas

> 
> [1] [PATCH] drm/fb-helper: Remove helpers to change frame buffer config
>      
> https://lore.kernel.org/all/20220629105658.1373770-1-geert@linux-m68k.org
> 
> Gr{oetje,eeting}s,
> 
>                          Geert
> 
> -- 
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- 
> geert at linux-m68k.org
> 
> In personal conversations with technical people, I call myself a hacker. 
> But
> when I'm talking to journalists I just say "programmer" or something 
> like that.
>                                  -- Linus Torvalds

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20220630/ca8608ee/attachment.sig>

More information about the dri-devel mailing list