radeon_atom_init_mc_reg_table() copies the previous mc_data[] entry when
pre_reg_data requests DATA_EQU_PREV. However, the loop starts at i == 0,
so a malformed or unexpected table can make the first entry use
DATA_EQU_PREV and trigger an out-of-bounds read from mc_data[i - 1].
Emulate a fix for a similar issue in amdgpu_atombios_init_mc_reg_table,
see commit 51dfc0a4d609 ("drm/amdgpu: fix mc_data out-of-bounds read
warning"), by skipping DATA_EQU_PREV for the first entry.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: ae5b0abbb6f7 ("drm/radeon/kms: add atom helper functions for dpm (v3)")
Cc: [email protected]
Signed-off-by: Nikita Zhandarovich <[email protected]>
---
P.S. checkpatch warns that too many tabs were used but I can't do much
about surrounding code being already too deeply nested.
drivers/gpu/drm/radeon/radeon_atombios.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c
b/drivers/gpu/drm/radeon/radeon_atombios.c
index 3dd9724b331d..c6d229a4322f 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -4032,6 +4032,8 @@ int radeon_atom_init_mc_reg_table(struct radeon_device
*rdev,
(u32)le32_to_cpu(*((u32 *)reg_data + j));
j++;
} else if
((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) ==
DATA_EQU_PREV) {
+ if (i
== 0)
+
continue;
reg_table->mc_reg_table_entry[num_ranges].mc_data[i] =
reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1];
}
