| Message ID | YD4eZLCFU+fbTGIp@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/amd/display: Fix off by one in hdmi_14_process_transaction() | expand |
[AMD Official Use Only - Internal Distribution Only]
Thanks
Reviewed-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
Applied. Thanks! Alex On Tue, Mar 2, 2021 at 2:26 PM Lakha, Bhawanpreet <Bhawanpreet.Lakha@amd.com> wrote: > > [AMD Official Use Only - Internal Distribution Only] > > > Thanks > > Reviewed-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com> > ________________________________ > From: Dan Carpenter <dan.carpenter@oracle.com> > Sent: March 2, 2021 6:15 AM > To: Wentland, Harry <Harry.Wentland@amd.com>; Lakha, Bhawanpreet <Bhawanpreet.Lakha@amd.com> > Cc: Li, Sun peng (Leo) <Sunpeng.Li@amd.com>; Deucher, Alexander <Alexander.Deucher@amd.com>; Koenig, Christian <Christian.Koenig@amd.com>; David Airlie <airlied@linux.ie>; Daniel Vetter <daniel@ffwll.ch>; Dan Carpenter <dan.carpenter@oracle.com>; Lakha, Bhawanpreet <Bhawanpreet.Lakha@amd.com>; Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Liu, Wenjing <Wenjing.Liu@amd.com>; amd-gfx@lists.freedesktop.org <amd-gfx@lists.freedesktop.org>; dri-devel@lists.freedesktop.org <dri-devel@lists.freedesktop.org>; kernel-janitors@vger.kernel.org <kernel-janitors@vger.kernel.org> > Subject: [PATCH] drm/amd/display: Fix off by one in hdmi_14_process_transaction() > > The hdcp_i2c_offsets[] array did not have an entry for > HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one > read overflow. I added an entry and copied the 0x0 value for the offset > from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. > > I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX > entries. This doesn't change the code, but it's just a belt and > suspenders approach to try future proof the code. > > Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > From static analysis, as mentioned in the commit message the offset > is basically an educated guess. > > I reported this bug on Apr 16, 2020 but I guess we lost take of it. > > drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c > index 5e384a8a83dc..51855a2624cf 100644 > --- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c > +++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c > @@ -39,7 +39,7 @@ > #define HDCP14_KSV_SIZE 5 > #define HDCP14_MAX_KSV_FIFO_SIZE 127*HDCP14_KSV_SIZE > > -static const bool hdcp_cmd_is_read[] = { > +static const bool hdcp_cmd_is_read[HDCP_MESSAGE_ID_MAX] = { > [HDCP_MESSAGE_ID_READ_BKSV] = true, > [HDCP_MESSAGE_ID_READ_RI_R0] = true, > [HDCP_MESSAGE_ID_READ_PJ] = true, > @@ -75,7 +75,7 @@ static const bool hdcp_cmd_is_read[] = { > [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = false > }; > > -static const uint8_t hdcp_i2c_offsets[] = { > +static const uint8_t hdcp_i2c_offsets[HDCP_MESSAGE_ID_MAX] = { > [HDCP_MESSAGE_ID_READ_BKSV] = 0x0, > [HDCP_MESSAGE_ID_READ_RI_R0] = 0x8, > [HDCP_MESSAGE_ID_READ_PJ] = 0xA, > @@ -106,7 +106,8 @@ static const uint8_t hdcp_i2c_offsets[] = { > [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_SEND_ACK] = 0x60, > [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_STREAM_MANAGE] = 0x60, > [HDCP_MESSAGE_ID_READ_REPEATER_AUTH_STREAM_READY] = 0x80, > - [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70 > + [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70, > + [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = 0x0, > }; > > struct protection_properties { > @@ -184,7 +185,7 @@ static const struct protection_properties hdmi_14_protection = { > .process_transaction = hdmi_14_process_transaction > }; > > -static const uint32_t hdcp_dpcd_addrs[] = { > +static const uint32_t hdcp_dpcd_addrs[HDCP_MESSAGE_ID_MAX] = { > [HDCP_MESSAGE_ID_READ_BKSV] = 0x68000, > [HDCP_MESSAGE_ID_READ_RI_R0] = 0x68005, > [HDCP_MESSAGE_ID_READ_PJ] = 0xFFFFFFFF, > -- > 2.30.1 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c index 5e384a8a83dc..51855a2624cf 100644 --- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c +++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c @@ -39,7 +39,7 @@ #define HDCP14_KSV_SIZE 5 #define HDCP14_MAX_KSV_FIFO_SIZE 127*HDCP14_KSV_SIZE -static const bool hdcp_cmd_is_read[] = { +static const bool hdcp_cmd_is_read[HDCP_MESSAGE_ID_MAX] = { [HDCP_MESSAGE_ID_READ_BKSV] = true, [HDCP_MESSAGE_ID_READ_RI_R0] = true, [HDCP_MESSAGE_ID_READ_PJ] = true, @@ -75,7 +75,7 @@ static const bool hdcp_cmd_is_read[] = { [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = false }; -static const uint8_t hdcp_i2c_offsets[] = { +static const uint8_t hdcp_i2c_offsets[HDCP_MESSAGE_ID_MAX] = { [HDCP_MESSAGE_ID_READ_BKSV] = 0x0, [HDCP_MESSAGE_ID_READ_RI_R0] = 0x8, [HDCP_MESSAGE_ID_READ_PJ] = 0xA, @@ -106,7 +106,8 @@ static const uint8_t hdcp_i2c_offsets[] = { [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_SEND_ACK] = 0x60, [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_STREAM_MANAGE] = 0x60, [HDCP_MESSAGE_ID_READ_REPEATER_AUTH_STREAM_READY] = 0x80, - [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70 + [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70, + [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = 0x0, }; struct protection_properties { @@ -184,7 +185,7 @@ static const struct protection_properties hdmi_14_protection = { .process_transaction = hdmi_14_process_transaction }; -static const uint32_t hdcp_dpcd_addrs[] = { +static const uint32_t hdcp_dpcd_addrs[HDCP_MESSAGE_ID_MAX] = { [HDCP_MESSAGE_ID_READ_BKSV] = 0x68000, [HDCP_MESSAGE_ID_READ_RI_R0] = 0x68005, [HDCP_MESSAGE_ID_READ_PJ] = 0xFFFFFFFF,
The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code. Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- From static analysis, as mentioned in the commit message the offset is basically an educated guess. I reported this bug on Apr 16, 2020 but I guess we lost take of it. drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)