Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-27 Thread Guenter Roeck

On 10/27/21 8:22 AM, Harry Wentland wrote:

On 2021-10-27 10:39, Guenter Roeck wrote:

On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:

Size can be any value and is user controlled resulting in overwriting the
40 byte array wr_buf with an arbitrary length of data from buf.

Signed-off-by: Thelford Williams 
Signed-off-by: Alex Deucher 


The fix works, but unless I am missing something it is incomplete.
parse_write_buffer_into_params() is called several times, and the
size parameter is always wrong. This patch only fixes one of several
instances of the problem.



Patrik sent a patch that covers all cases:
https://patchwork.freedesktop.org/patch/461554/?series=96341=2

Harry


Thanks!

Guenter


Guenter


---
  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 814f67d86a3c..9b3ad56607bb 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f, const 
char __user *buf,
if (!wr_buf)
return -ENOSPC;
  
-	if (parse_write_buffer_into_params(wr_buf, size,

+   if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
   (long *)param, buf,
   max_param_num,
   _nums)) {
--
2.33.0






Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-27 Thread Harry Wentland
On 2021-10-27 10:39, Guenter Roeck wrote:
> On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:
>> Size can be any value and is user controlled resulting in overwriting the
>> 40 byte array wr_buf with an arbitrary length of data from buf.
>>
>> Signed-off-by: Thelford Williams 
>> Signed-off-by: Alex Deucher 
> 
> The fix works, but unless I am missing something it is incomplete.
> parse_write_buffer_into_params() is called several times, and the
> size parameter is always wrong. This patch only fixes one of several
> instances of the problem.
> 

Patrik sent a patch that covers all cases:
https://patchwork.freedesktop.org/patch/461554/?series=96341=2

Harry

> Guenter
> 
>> ---
>>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
>> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 814f67d86a3c..9b3ad56607bb 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f, 
>> const char __user *buf,
>>  if (!wr_buf)
>>  return -ENOSPC;
>>  
>> -if (parse_write_buffer_into_params(wr_buf, size,
>> +if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> _nums)) {
>> -- 
>> 2.33.0



Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-27 Thread Guenter Roeck
On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:
> Size can be any value and is user controlled resulting in overwriting the
> 40 byte array wr_buf with an arbitrary length of data from buf.
> 
> Signed-off-by: Thelford Williams 
> Signed-off-by: Alex Deucher 

The fix works, but unless I am missing something it is incomplete.
parse_write_buffer_into_params() is called several times, and the
size parameter is always wrong. This patch only fixes one of several
instances of the problem.

Guenter

> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 814f67d86a3c..9b3ad56607bb 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f, 
> const char __user *buf,
>   if (!wr_buf)
>   return -ENOSPC;
>  
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>  (long *)param, buf,
>  max_param_num,
>  _nums)) {
> -- 
> 2.33.0


Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-27 Thread Patrik Jakobsson
On Wed, Oct 27, 2021 at 12:08 PM Patrik Jakobsson
 wrote:
>
> On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher  wrote:
> >
> > On Wed, Oct 13, 2021 at 4:04 PM T. Williams  wrote:
> > >
> >
> > The description and s-o-b should go here and the patch seems to be
> > mangled.  I've manually applied this.  Please fix up your mailer in
> > the future.
> >
> > Thanks for the fix.
>
> Hi Thelford and Alex
>
> There are several more instances of size being used instead of
> wr_buf_size in amdgpu_dm_debugfs.c.
>
> IMO the proper fix here would be to revert
> 918698d5c2b50433714d2042f55b55b090faa167

Actually, there's one instance that a revert doesn't cover. Instead I
sent out a patch to fix the remaining ones.

>
> -Patrik
>
> >
> > Alex
> >
> >
> > > ---
> > >  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
> > > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > index 87daa78a32b8..17f2756a64dc 100644
> > > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, 
> > > const char __user *buf,
> > > if (!wr_buf)
> > > return -ENOSPC;
> > >
> > > -   if (parse_write_buffer_into_params(wr_buf, size,
> > > +   if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > >(long *)param, buf,
> > >max_param_num,
> > >_nums)) {
> > > --
> > >
> > > Size can be any value and is user controlled resulting in overwriting the 
> > > 40 byte array wr_buf with an arbitrary length of data from buf.
> > >
> > > Signed-off-by: Thelford Williams 


Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-27 Thread Patrik Jakobsson
On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher  wrote:
>
> On Wed, Oct 13, 2021 at 4:04 PM T. Williams  wrote:
> >
>
> The description and s-o-b should go here and the patch seems to be
> mangled.  I've manually applied this.  Please fix up your mailer in
> the future.
>
> Thanks for the fix.

Hi Thelford and Alex

There are several more instances of size being used instead of
wr_buf_size in amdgpu_dm_debugfs.c.

IMO the proper fix here would be to revert
918698d5c2b50433714d2042f55b55b090faa167

-Patrik

>
> Alex
>
>
> > ---
> >  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
> > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 87daa78a32b8..17f2756a64dc 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, 
> > const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > -   if (parse_write_buffer_into_params(wr_buf, size,
> > +   if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> >(long *)param, buf,
> >max_param_num,
> >_nums)) {
> > --
> >
> > Size can be any value and is user controlled resulting in overwriting the 
> > 40 byte array wr_buf with an arbitrary length of data from buf.
> >
> > Signed-off-by: Thelford Williams 


Re: [PATCH] drm/amdgpu: fix out of bounds write

2021-10-13 Thread Alex Deucher
On Wed, Oct 13, 2021 at 4:04 PM T. Williams  wrote:
>

The description and s-o-b should go here and the patch seems to be
mangled.  I've manually applied this.  Please fix up your mailer in
the future.

Thanks for the fix.

Alex


> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, 
> const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> -   if (parse_write_buffer_into_params(wr_buf, size,
> +   if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>(long *)param, buf,
>max_param_num,
>_nums)) {
> --
>
> Size can be any value and is user controlled resulting in overwriting the 40 
> byte array wr_buf with an arbitrary length of data from buf.
>
> Signed-off-by: Thelford Williams 


[PATCH] drm/amdgpu: fix out of bounds write

2021-10-13 Thread T. Williams
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
const char __user *buf,
if (!wr_buf)
return -ENOSPC;

-   if (parse_write_buffer_into_params(wr_buf, size,
+   if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
   (long *)param, buf,
   max_param_num,
   _nums)) {
-- 
Size can be any value and is user controlled resulting in overwriting the
40 byte array wr_buf with an arbitrary length of data from buf.
Signed-off-by: Thelford Williams