[PATCH] drm/amdgpu: fix out of bounds write
Patrik Jakobsson
patrik.r.jakobsson at gmail.com
Wed Oct 27 13:05:11 UTC 2021
On Wed, Oct 27, 2021 at 12:08 PM Patrik Jakobsson
<patrik.r.jakobsson at gmail.com> wrote:
>
> On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher <alexdeucher at gmail.com> wrote:
> >
> > On Wed, Oct 13, 2021 at 4:04 PM T. Williams <tdwilliamsiv at gmail.com> wrote:
> > >
> >
> > The description and s-o-b should go here and the patch seems to be
> > mangled. I've manually applied this. Please fix up your mailer in
> > the future.
> >
> > Thanks for the fix.
>
> Hi Thelford and Alex
>
> There are several more instances of size being used instead of
> wr_buf_size in amdgpu_dm_debugfs.c.
>
> IMO the proper fix here would be to revert
> 918698d5c2b50433714d2042f55b55b090faa167
Actually, there's one instance that a revert doesn't cover. Instead I
sent out a patch to fix the remaining ones.
>
> -Patrik
>
> >
> > Alex
> >
> >
> > > ---
> > > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > index 87daa78a32b8..17f2756a64dc 100644
> > > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
> > > if (!wr_buf)
> > > return -ENOSPC;
> > >
> > > - if (parse_write_buffer_into_params(wr_buf, size,
> > > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > > (long *)param, buf,
> > > max_param_num,
> > > ¶m_nums)) {
> > > --
> > >
> > > Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
> > >
> > > Signed-off-by: Thelford Williams <tdwilliamsiv at gmail.com>
More information about the amd-gfx
mailing list