[PATCH 1/2] drm/i915/bios: double check array-boundary in parse_sdvo_lvds_data
Rodrigo Vivi
rodrigo.vivi at intel.com
Tue May 28 17:01:45 UTC 2024
On Tue, May 28, 2024 at 02:29:00PM +0300, Luca Coelho wrote:
> During static analysis, a concern was raised that we may access the
> dtd->dtd[] array out of bounds, because we are not checking whether
> the index we use is larger than the array.
>
> This should not be a problem as is, because the enumeration that is
> used for this index comes from "panel_type", which uses an enumeration
> with 4 items. But if this enumeration is ever changed, it can lead to
> hard-to-detect bugs, so better double-check it before using it as an
> index to the array.
I feel that we might have other cases there that could deserve a
protection like this.
Reviewed-by: Rodrigo Vivi <rodrigo.vivi at intel.com>
>
> Signed-off-by: Luca Coelho <luciano.coelho at intel.com>
> ---
> drivers/gpu/drm/i915/display/intel_bios.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index b0a49b2f957f..128fe9250f40 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -1120,6 +1120,18 @@ parse_sdvo_lvds_data(struct drm_i915_private *i915,
> if (!dtd)
> return;
>
> + /*
> + * This should not happen, as long as the panel_type
> + * enumeration doesn't grow over 4 items. But if it does, it
> + * could lead to hard-to-detect bugs, so better double-check
> + * it here to be sure.
> + */
> + if (index >= ARRAY_SIZE(dtd->dtd)) {
> + drm_err(&i915->drm, "index %d is larger than dtd->dtd[4] array\n",
> + index);
> + return;
> + }
> +
> panel_fixed_mode = kzalloc(sizeof(*panel_fixed_mode), GFP_KERNEL);
> if (!panel_fixed_mode)
> return;
> --
> 2.39.2
>
More information about the Intel-gfx
mailing list