This is a note to let you know that I've just added the patch titled
drm/atomic: fix out of bounds read in for_each_*_in_state helpers
to the 4.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-atomic-fix-out-of-bounds-read-in-for_each_-_in_state-helpers.patch
and it can be found in the queue-4.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 60f207a5b6d8f23c2e8388b415e8d5c7311cc79d Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <[email protected]>
Date: Mon, 25 May 2015 13:29:44 +0300
Subject: drm/atomic: fix out of bounds read in for_each_*_in_state helpers
From: Andrey Ryabinin <[email protected]>
commit 60f207a5b6d8f23c2e8388b415e8d5c7311cc79d upstream.
for_each_*_in_state validate array index after
access to array elements, thus perform out of bounds read.
Fix this by validating index in the first place and read
array element iff validation was successful.
Fixes: df63b9994eaf ("drm/atomic: Add for_each_{connector,crtc,plane}_in_state
helper macros")
Signed-off-by: Andrey Ryabinin <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/drm/drm_atomic.h | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/include/drm/drm_atomic.h
+++ b/include/drm/drm_atomic.h
@@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit
#define for_each_connector_in_state(state, connector, connector_state, __i) \
for ((__i) = 0; \
- (connector) = (state)->connectors[__i], \
- (connector_state) = (state)->connector_states[__i], \
- (__i) < (state)->num_connector; \
+ (__i) < (state)->num_connector && \
+ ((connector) = (state)->connectors[__i], \
+ (connector_state) = (state)->connector_states[__i], 1); \
(__i)++) \
if (connector)
#define for_each_crtc_in_state(state, crtc, crtc_state, __i) \
for ((__i) = 0; \
- (crtc) = (state)->crtcs[__i], \
- (crtc_state) = (state)->crtc_states[__i], \
- (__i) < (state)->dev->mode_config.num_crtc; \
+ (__i) < (state)->dev->mode_config.num_crtc && \
+ ((crtc) = (state)->crtcs[__i], \
+ (crtc_state) = (state)->crtc_states[__i], 1); \
(__i)++) \
if (crtc_state)
-#define for_each_plane_in_state(state, plane, plane_state, __i) \
- for ((__i) = 0; \
- (plane) = (state)->planes[__i], \
- (plane_state) = (state)->plane_states[__i], \
- (__i) < (state)->dev->mode_config.num_total_plane; \
- (__i)++) \
+#define for_each_plane_in_state(state, plane, plane_state, __i)
\
+ for ((__i) = 0; \
+ (__i) < (state)->dev->mode_config.num_total_plane && \
+ ((plane) = (state)->planes[__i], \
+ (plane_state) = (state)->plane_states[__i], 1); \
+ (__i)++) \
if (plane_state)
#endif /* DRM_ATOMIC_H_ */
Patches currently in stable-queue which might be from [email protected] are
queue-4.1/drm-atomic-fix-out-of-bounds-read-in-for_each_-_in_state-helpers.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
