[drm/bridge]: possible buffer overrun in cdns-mhdp8546-core.c
yguoaz
yguoaz at gmail.com
Tue Jun 27 02:05:01 UTC 2023
In the file drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c, the
function cdns_mhdp_print_lt_status has the following code:
char vs[8] = "0/0/0/0";
char pe[8] = "0/0/0/0";
unsigned int i;
for (i = 0; i < mhdp->link.num_lanes; i++) {
vs[i * 2] = '0' + phy_cfg->dp.voltage[i];
pe[i * 2] = '0' + phy_cfg->dp.pre[i];
}
vs[i * 2 - 1] = '\0';
pe[i * 2 - 1] = '\0';
If mhdp->link.num_lanes == 0, the above code accesses vs[-1] and
pe[-1]. I think this case might be possible. For example, in the
function cdns_mhdp_link_training_channel_eq, we have:
cdns_mhdp_adjust_lt(mhdp, mhdp->link.num_lanes,
training_interval, lanes_data, link_status);
r = drm_dp_clock_recovery_ok(link_status, mhdp->link.num_lanes);
if (!r)
goto err;
if (drm_dp_channel_eq_ok(link_status, mhdp->link.num_lanes)) {
cdns_mhdp_print_lt_status("EQ phase ok", mhdp, &phy_cfg);
return true;
}
Notice that inside the function cdns_mhdp_adjust_lt, there is a check
for possibly invalid number of lanes:
if (nlanes != 4 && nlanes != 2 && nlanes != 1) {
dev_err(mhdp->dev, "invalid number of lanes: %u\n", nlanes);
ret = -EINVAL;
goto out;
}
If nlanes == 0, a buffer overrun can happen in the subsequent call of
cdns_mhdp_print_lt_status.
More information about the dri-devel
mailing list