Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
On 08/04/2024 16:23, Danilo Krummrich wrote:
On 4/5/24 22:05, Lyude Paul wrote:
On Fri, 2024-04-05 at 17:53 +0200, Danilo Krummrich wrote:
On 3/31/24 08:45, Mikhail Kobuk wrote:
Output Resource (dcb->or) value is not guaranteed to be non-zero
(i.e.
in drivers/gpu/drm/nouveau/nouveau_bios.c, in
'fabricate_dcb_encoder_table()'
'dcb->or' is assigned value '0' in call to
'fabricate_dcb_output()').
I don't really know much about the semantics of this code.
Looking at fabricate_dcb_output() though I wonder if the intention
was to assign
BIT(or) to entry->or.
@Lyude, can you help here?
This code is definitely a bit before my time as well - but I think
you're completely correct. Especially considering this bit I found in
nouveau_bios.h:
Thanks for confirming.
@Mikhail, I think we should rather fix this assignment then.
Thank you all for a thorough look!
- Danilo
enum nouveau_or {
DCB_OUTPUT_A = (1 << 0),
DCB_OUTPUT_B = (1 << 1),
DCB_OUTPUT_C = (1 << 2)
};
Considering this code bit, and the fact that fabricate_dcb_output() is
called in drivers/gpu/drm/nouveau/nouveau_bios.c only, there's option to
adjust function calls instead of adding BIT(or), i.e.:
fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, DCB_OUTPUT_B);
instead of current:
fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, 1);
and etc.
Should I make a new patch with adjusted calls or stick with BIT(or)?
Otherwise, for parsing the DCB entries, it seems that the bound
checks are
happening in olddcb_outp_foreach() [1].
[1]
https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
Add check to validate 'dcb->or' before it's used.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for
iMac G4")
Signed-off-by: Mikhail Kobuk
---
drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
b/drivers/gpu/drm/nouveau/dispnv04/dac.c
index d6b8e0cce2ac..0c8d4fc95ff3 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
@@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder
*encoder, bool enable)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- if (nv_gf4_disp_arch(dev)) {
+ if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
uint32_t *dac_users = _display(dev)-
dac_users[ffs(dcb->or) - 1];
int dacclk_off = NV_PRAMDAC_DACCLK +
nv04_dac_output_offset(encoder);
uint32_t dacclk = NVReadRAMDAC(dev, 0,
dacclk_off);
@@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder
*encoder)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- return nv_gf4_disp_arch(encoder->dev) &&
+ return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
(nv04_display(dev)->dac_users[ffs(dcb->or) - 1] &
~(1 << dcb->index));
}
Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
On 4/10/24 17:39, Mikhail Kobuk wrote:
On 08/04/2024 16:23, Danilo Krummrich wrote:
On 4/5/24 22:05, Lyude Paul wrote:
On Fri, 2024-04-05 at 17:53 +0200, Danilo Krummrich wrote:
On 3/31/24 08:45, Mikhail Kobuk wrote:
Output Resource (dcb->or) value is not guaranteed to be non-zero
(i.e.
in drivers/gpu/drm/nouveau/nouveau_bios.c, in
'fabricate_dcb_encoder_table()'
'dcb->or' is assigned value '0' in call to
'fabricate_dcb_output()').
I don't really know much about the semantics of this code.
Looking at fabricate_dcb_output() though I wonder if the intention
was to assign
BIT(or) to entry->or.
@Lyude, can you help here?
This code is definitely a bit before my time as well - but I think
you're completely correct. Especially considering this bit I found in
nouveau_bios.h:
Thanks for confirming.
@Mikhail, I think we should rather fix this assignment then.
Thank you all for a thorough look!
- Danilo
enum nouveau_or {
DCB_OUTPUT_A = (1 << 0),
DCB_OUTPUT_B = (1 << 1),
DCB_OUTPUT_C = (1 << 2)
};
Considering this code bit, and the fact that fabricate_dcb_output() is called
in drivers/gpu/drm/nouveau/nouveau_bios.c only, there's option to adjust
function calls instead of adding BIT(or), i.e.:
fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, DCB_OUTPUT_B);
instead of current:
fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, 1);
and etc.
Should I make a new patch with adjusted calls or stick with BIT(or)?
Please send a new patch adjusting the calls using enum nouveau_or, that
seems to be cleaner.
- Danilo
Otherwise, for parsing the DCB entries, it seems that the bound
checks are
happening in olddcb_outp_foreach() [1].
[1]
https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
Add check to validate 'dcb->or' before it's used.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for
iMac G4")
Signed-off-by: Mikhail Kobuk
---
drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
b/drivers/gpu/drm/nouveau/dispnv04/dac.c
index d6b8e0cce2ac..0c8d4fc95ff3 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
@@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder
*encoder, bool enable)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- if (nv_gf4_disp_arch(dev)) {
+ if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
uint32_t *dac_users = _display(dev)-
dac_users[ffs(dcb->or) - 1];
int dacclk_off = NV_PRAMDAC_DACCLK +
nv04_dac_output_offset(encoder);
uint32_t dacclk = NVReadRAMDAC(dev, 0,
dacclk_off);
@@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder
*encoder)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- return nv_gf4_disp_arch(encoder->dev) &&
+ return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
(nv04_display(dev)->dac_users[ffs(dcb->or) - 1] &
~(1 << dcb->index));
}
Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
On 4/5/24 22:05, Lyude Paul wrote:
On Fri, 2024-04-05 at 17:53 +0200, Danilo Krummrich wrote:
On 3/31/24 08:45, Mikhail Kobuk wrote:
Output Resource (dcb->or) value is not guaranteed to be non-zero
(i.e.
in drivers/gpu/drm/nouveau/nouveau_bios.c, in
'fabricate_dcb_encoder_table()'
'dcb->or' is assigned value '0' in call to
'fabricate_dcb_output()').
I don't really know much about the semantics of this code.
Looking at fabricate_dcb_output() though I wonder if the intention
was to assign
BIT(or) to entry->or.
@Lyude, can you help here?
This code is definitely a bit before my time as well - but I think
you're completely correct. Especially considering this bit I found in
nouveau_bios.h:
Thanks for confirming.
@Mikhail, I think we should rather fix this assignment then.
- Danilo
enum nouveau_or {
DCB_OUTPUT_A = (1 << 0),
DCB_OUTPUT_B = (1 << 1),
DCB_OUTPUT_C = (1 << 2)
};
Otherwise, for parsing the DCB entries, it seems that the bound
checks are
happening in olddcb_outp_foreach() [1].
[1]
https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
Add check to validate 'dcb->or' before it's used.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for
iMac G4")
Signed-off-by: Mikhail Kobuk
---
drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
b/drivers/gpu/drm/nouveau/dispnv04/dac.c
index d6b8e0cce2ac..0c8d4fc95ff3 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
@@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder
*encoder, bool enable)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- if (nv_gf4_disp_arch(dev)) {
+ if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
uint32_t *dac_users = _display(dev)-
dac_users[ffs(dcb->or) - 1];
int dacclk_off = NV_PRAMDAC_DACCLK +
nv04_dac_output_offset(encoder);
uint32_t dacclk = NVReadRAMDAC(dev, 0,
dacclk_off);
@@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder
*encoder)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- return nv_gf4_disp_arch(encoder->dev) &&
+ return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
(nv04_display(dev)->dac_users[ffs(dcb->or) - 1] &
~(1 << dcb->index));
}
Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
On Fri, 2024-04-05 at 17:53 +0200, Danilo Krummrich wrote:
> On 3/31/24 08:45, Mikhail Kobuk wrote:
> > Output Resource (dcb->or) value is not guaranteed to be non-zero
> > (i.e.
> > in drivers/gpu/drm/nouveau/nouveau_bios.c, in
> > 'fabricate_dcb_encoder_table()'
> > 'dcb->or' is assigned value '0' in call to
> > 'fabricate_dcb_output()').
>
> I don't really know much about the semantics of this code.
>
> Looking at fabricate_dcb_output() though I wonder if the intention
> was to assign
> BIT(or) to entry->or.
>
> @Lyude, can you help here?
This code is definitely a bit before my time as well - but I think
you're completely correct. Especially considering this bit I found in
nouveau_bios.h:
enum nouveau_or {
DCB_OUTPUT_A = (1 << 0),
DCB_OUTPUT_B = (1 << 1),
DCB_OUTPUT_C = (1 << 2)
};
>
> Otherwise, for parsing the DCB entries, it seems that the bound
> checks are
> happening in olddcb_outp_foreach() [1].
>
> [1]
> https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
>
> >
> > Add check to validate 'dcb->or' before it's used.
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for
> > iMac G4")
> > Signed-off-by: Mikhail Kobuk
> > ---
> > drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
> > b/drivers/gpu/drm/nouveau/dispnv04/dac.c
> > index d6b8e0cce2ac..0c8d4fc95ff3 100644
> > --- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
> > +++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
> > @@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder
> > *encoder, bool enable)
> > struct drm_device *dev = encoder->dev;
> > struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
> >
> > - if (nv_gf4_disp_arch(dev)) {
> > + if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
> > uint32_t *dac_users = _display(dev)-
> > >dac_users[ffs(dcb->or) - 1];
> > int dacclk_off = NV_PRAMDAC_DACCLK +
> > nv04_dac_output_offset(encoder);
> > uint32_t dacclk = NVReadRAMDAC(dev, 0,
> > dacclk_off);
> > @@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder
> > *encoder)
> > struct drm_device *dev = encoder->dev;
> > struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
> >
> > - return nv_gf4_disp_arch(encoder->dev) &&
> > + return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
> > (nv04_display(dev)->dac_users[ffs(dcb->or) - 1] &
> > ~(1 << dcb->index));
> > }
> >
>
--
Cheers,
Lyude Paul (she/her)
Software Engineer at Red Hat
Re: [PATCH] drm: nv04: Add check to avoid out of bounds access
On 3/31/24 08:45, Mikhail Kobuk wrote:
Output Resource (dcb->or) value is not guaranteed to be non-zero (i.e.
in drivers/gpu/drm/nouveau/nouveau_bios.c, in 'fabricate_dcb_encoder_table()'
'dcb->or' is assigned value '0' in call to 'fabricate_dcb_output()').
I don't really know much about the semantics of this code.
Looking at fabricate_dcb_output() though I wonder if the intention was to assign
BIT(or) to entry->or.
@Lyude, can you help here?
Otherwise, for parsing the DCB entries, it seems that the bound checks are
happening in olddcb_outp_foreach() [1].
[1]
https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/nouveau/nouveau_bios.c#L1331
Add check to validate 'dcb->or' before it's used.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for iMac G4")
Signed-off-by: Mikhail Kobuk
---
drivers/gpu/drm/nouveau/dispnv04/dac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/dac.c
b/drivers/gpu/drm/nouveau/dispnv04/dac.c
index d6b8e0cce2ac..0c8d4fc95ff3 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/dac.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/dac.c
@@ -428,7 +428,7 @@ void nv04_dac_update_dacclk(struct drm_encoder *encoder,
bool enable)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- if (nv_gf4_disp_arch(dev)) {
+ if (nv_gf4_disp_arch(dev) && ffs(dcb->or)) {
uint32_t *dac_users =
_display(dev)->dac_users[ffs(dcb->or) - 1];
int dacclk_off = NV_PRAMDAC_DACCLK +
nv04_dac_output_offset(encoder);
uint32_t dacclk = NVReadRAMDAC(dev, 0, dacclk_off);
@@ -453,7 +453,7 @@ bool nv04_dac_in_use(struct drm_encoder *encoder)
struct drm_device *dev = encoder->dev;
struct dcb_output *dcb = nouveau_encoder(encoder)->dcb;
- return nv_gf4_disp_arch(encoder->dev) &&
+ return nv_gf4_disp_arch(encoder->dev) && ffs(dcb->or) &&
(nv04_display(dev)->dac_users[ffs(dcb->or) - 1] & ~(1 <<
dcb->index));
}
