[PATCH] drm/amdgpu: Fix even more out of bound writes from debugfs
Patrik Jakobsson
patrik.r.jakobsson at gmail.com
Wed Oct 27 14:26:46 UTC 2021
On Wed, Oct 27, 2021 at 3:47 PM Harry Wentland <harry.wentland at amd.com> wrote:
>
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
> > CVE-2021-42327 was fixed by:
> >
> > commit f23750b5b3d98653b31d4469592935ef6364ad67
> > Author: Thelford Williams <tdwilliamsiv at gmail.com>
> > Date: Wed Oct 13 16:04:13 2021 -0400
> >
> > drm/amdgpu: fix out of bounds write
> >
> > but amdgpu_dm_debugfs.c contains more of the same issue so fix the
> > remaining ones.
> >
> > Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
> > Signed-off-by: Patrik Jakobsson <pjakobsson at suse.de>
> > ---
> > .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
> > 1 file changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 1a68a674913c..33bdf15febc6 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > ¶m, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> > @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
> > return -ENOSPC;
> > }
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > (long *)param, buf,
> > max_param_num,
> > ¶m_nums)) {
> >
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
Oops, will fix in v2
>
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993
>
> Harry
>
More information about the amd-gfx
mailing list