RE: [PATCH v3] drm/amd/display: Prevent potential buffer overflow in map_hw_resources

Thu, 22 Feb 2024 07:03:01 -0800 

Reviewed-by: Roman Li <roman...@amd.com>

> -----Original Message-----
> From: SHANMUGAM, SRINIVASAN <srinivasan.shanmu...@amd.com>
> Sent: Wednesday, February 21, 2024 11:37 PM
> To: Siqueira, Rodrigo <rodrigo.sique...@amd.com>; Pillai, Aurabindo
> <aurabindo.pil...@amd.com>; Chung, ChiaHsuan (Tom)
> <chiahsuan.ch...@amd.com>; Li, Roman <roman...@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <srinivasan.shanmu...@amd.com>; Zhuo, Lillian
> <qingqing.z...@amd.com>
> Subject: [PATCH v3] drm/amd/display: Prevent potential buffer overflow in
> map_hw_resources
> 
> Adds a check in the map_hw_resources function to prevent a potential buffer
> overflow. The function was accessing arrays using an index that could
> potentially be greater than the size of the arrays, leading to a buffer 
> overflow.
> 
> Adds a check to ensure that the index is within the bounds of the arrays. If 
> the
> index is out of bounds, an error message is printed and break it will continue
> execution with just ignoring extra data early to prevent the buffer overflow.
> 
> Reported by smatch:
> drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79
> map_hw_resources() error: buffer overflow 'dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7
> drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81
> map_hw_resources() error: buffer overflow 'dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7
> 
> Fixes: 482ce89eec1b ("drm/amd/display: Introduce DML2")
> Cc: Rodrigo Siqueira <rodrigo.sique...@amd.com>
> Cc: Roman Li <roman...@amd.com>
> Cc: Qingqing Zhuo <qingqing.z...@amd.com>
> Cc: Aurabindo Pillai <aurabindo.pil...@amd.com>
> Cc: Tom Chung <chiahsuan.ch...@amd.com>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmu...@amd.com>
> ---
> v3:
>  - s/return/break as return may leave the system in a bad state
> 
>  drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> index 26307e599614..2a58a7687bdb 100644
> --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> @@ -76,6 +76,11 @@ static void map_hw_resources(struct dml2_context
> *dml2,
>                       in_out_display_cfg->hw.DLGRefClkFreqMHz = 50;
>               }
>               for (j = 0; j < mode_support_info->DPPPerSurface[i]; j++) {
> +                     if (i >=
> __DML2_WRAPPER_MAX_STREAMS_PLANES__) {
> +                             dml_print("DML::%s: Index out of bounds:
> i=%d, __DML2_WRAPPER_MAX_STREAMS_PLANES__=%d\n",
> +                                       __func__, i,
> __DML2_WRAPPER_MAX_STREAMS_PLANES__);
> +                             break;
> +                     }
>                       dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id[num_pip
> es] = dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id[i];
>                       dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id_valid[nu
> m_pipes] = true;
>                       dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_plane_id[num_pipe
> s] = dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id[i];
> --
> 2.34.1

Reply via email to