[PATCH 1/2] drm/i915/bios: double check array-boundary in parse_sdvo_lvds_data

Rodrigo Vivi rodrigo.vivi at intel.com
Tue May 28 17:01:45 UTC 2024


On Tue, May 28, 2024 at 02:29:00PM +0300, Luca Coelho wrote:
> During static analysis, a concern was raised that we may access the
> dtd->dtd[] array out of bounds, because we are not checking whether
> the index we use is larger than the array.
> 
> This should not be a problem as is, because the enumeration that is
> used for this index comes from "panel_type", which uses an enumeration
> with 4 items.  But if this enumeration is ever changed, it can lead to
> hard-to-detect bugs, so better double-check it before using it as an
> index to the array.

I feel that we might have other cases there that could deserve a
protection like this.

Reviewed-by: Rodrigo Vivi <rodrigo.vivi at intel.com>

> 
> Signed-off-by: Luca Coelho <luciano.coelho at intel.com>
> ---
>  drivers/gpu/drm/i915/display/intel_bios.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index b0a49b2f957f..128fe9250f40 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -1120,6 +1120,18 @@ parse_sdvo_lvds_data(struct drm_i915_private *i915,
>  	if (!dtd)
>  		return;
>  
> +	/*
> +	 * This should not happen, as long as the panel_type
> +	 * enumeration doesn't grow over 4 items.  But if it does, it
> +	 * could lead to hard-to-detect bugs, so better double-check
> +	 * it here to be sure.
> +	 */
> +	if (index >= ARRAY_SIZE(dtd->dtd)) {
> +		drm_err(&i915->drm, "index %d is larger than dtd->dtd[4] array\n",
> +			index);
> +		return;
> +	}
> +
>  	panel_fixed_mode = kzalloc(sizeof(*panel_fixed_mode), GFP_KERNEL);
>  	if (!panel_fixed_mode)
>  		return;
> -- 
> 2.39.2
> 


More information about the Intel-gfx mailing list