[PATCH] drm/fb-helper: Fix out-of-bounds access
Javier Martinez Canillas
javierm at redhat.com
Thu Jun 23 07:57:19 UTC 2022
Hello Thomas,
On 6/21/22 12:46, Thomas Zimmermann wrote:
> Clip memory range to screen-buffer size to avoid out-of-bounds access
> in fbdev deferred I/O's damage handling.
>
> Fbdev's deferred I/O can only track pages. From the range of pages, the
> damage handler computes the clipping rectangle for the display update.
> If the fbdev screen buffer ends near the beginning of a page, that page
> could contain more scanlines. The damage handler would then track these
> non-existing scanlines as dirty and provoke an out-of-bounds access
> during the screen update. Hence, clip the maximum memory range to the
> size of the screen buffer.
>
> While at it, rename the variables min/max to min_off/max_off in
> drm_fb_helper_deferred_io(). This avoids confusion with the macros of
> the same name.
>
> Reported-by: Nuno Gonçalves <nunojpg at gmail.com>
> Signed-off-by: Thomas Zimmermann <tzimmermann at suse.de>
> Tested-by: Nuno Gonçalves <nunojpg at gmail.com>
> Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper")
> Cc: Thomas Zimmermann <tzimmermann at suse.de>
> Cc: Javier Martinez Canillas <javierm at redhat.com>
> Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Cc: Maxime Ripard <mripard at kernel.org>
> Cc: <stable at vger.kernel.org> # v5.18+
> ---
This makes sense to me.
Reviewed-by: Javier Martinez Canillas <javierm at redhat.com>
--
Best regards,
Javier Martinez Canillas
Linux Engineering
Red Hat
More information about the dri-devel
mailing list