[PATCH] drm/bridge/sii8620: Fix memory corruption
Andrzej Hajda
a.hajda at samsung.com
Thu Aug 24 17:28:57 UTC 2017
On 21.08.2017 12:32, Maciej Purski wrote:
> Function sii8620_mt_read_devcap_reg_recv() used to read array index
> from a wrong msg register, which caused writing out of array
> bounds. It led to writing on other fields of struct sii8620.
>
> Signed-off-by: Maciej Purski <m.purski at samsung.com>
> Fixes: e9c6da270 ("drm/bridge/sii8620: add reading device capability
> registers")
> ---
Queued to drm-misc-fixes.
Regards
Andrzej
> drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
> index 2d51a22..5131bfb 100644
> --- a/drivers/gpu/drm/bridge/sil-sii8620.c
> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c
> @@ -597,9 +597,9 @@ static void sii8620_mt_read_devcap(struct sii8620 *ctx, bool xdevcap)
> static void sii8620_mt_read_devcap_reg_recv(struct sii8620 *ctx,
> struct sii8620_mt_msg *msg)
> {
> - u8 reg = msg->reg[0] & 0x7f;
> + u8 reg = msg->reg[1] & 0x7f;
>
> - if (msg->reg[0] & 0x80)
> + if (msg->reg[1] & 0x80)
> ctx->xdevcap[reg] = msg->ret;
> else
> ctx->devcap[reg] = msg->ret;
More information about the dri-devel
mailing list