[PATCH] drm/amdgpu: fix out of bounds write
Patrik Jakobsson
patrik.r.jakobsson at gmail.com
Wed Oct 27 10:08:46 UTC 2021
On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher <alexdeucher at gmail.com> wrote:
>
> On Wed, Oct 13, 2021 at 4:04 PM T. Williams <tdwilliamsiv at gmail.com> wrote:
> >
>
> The description and s-o-b should go here and the patch seems to be
> mangled. I've manually applied this. Please fix up your mailer in
> the future.
>
> Thanks for the fix.
Hi Thelford and Alex
There are several more instances of size being used instead of
wr_buf_size in amdgpu_dm_debugfs.c.
IMO the proper fix here would be to revert
918698d5c2b50433714d2042f55b55b090faa167
-Patrik
>
> Alex
>
>
> > ---
> > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 87daa78a32b8..17f2756a64dc 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > --
> >
> > Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
> >
> > Signed-off-by: Thelford Williams <tdwilliamsiv at gmail.com>
More information about the amd-gfx
mailing list