drm/bridge/sii8620: Fix memory corruption

Message ID	1503311571-25819-1-git-send-email-m.purski@samsung.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Maciej Purski <m.purski@samsung.com> To: dri-devel@lists.freedesktop.org Subject: [PATCH] drm/bridge/sii8620: Fix memory corruption Date: Mon, 21 Aug 2017 12:32:51 +0200 Message-id: <1503311571-25819-1-git-send-email-m.purski@samsung.com> CMS-TYPE: 201P References: <CGME20170821103306eucas1p204dcad5c21e623af92859b61ad2528f3@eucas1p2.samsung.com> Cc: Laurent.pinchart@ideasonboard.com, Maciej Purski <m.purski@samsung.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

1503311571-25819-1-git-send-email-m.purski@samsung.com (mailing list archive)

State

New, archived

Headers

From: Maciej Purski <m.purski@samsung.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH] drm/bridge/sii8620: Fix memory corruption
Date: Mon, 21 Aug 2017 12:32:51 +0200
Message-id: <1503311571-25819-1-git-send-email-m.purski@samsung.com>
CMS-TYPE: 201P
References: <CGME20170821103306eucas1p204dcad5c21e623af92859b61ad2528f3@eucas1p2.samsung.com>
Cc: Laurent.pinchart@ideasonboard.com, Maciej Purski <m.purski@samsung.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Commit Message

Maciej Purski Aug. 21, 2017, 10:32 a.m. UTC

Function sii8620_mt_read_devcap_reg_recv() used to read array index
from a wrong msg register, which caused writing out of array
bounds. It led to writing on other fields of struct sii8620.

Signed-off-by: Maciej Purski <m.purski@samsung.com>
Fixes: e9c6da270 ("drm/bridge/sii8620: add reading device capability
       registers")
---
 drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Andrzej Hajda Aug. 24, 2017, 5:28 p.m. UTC | #1

On 21.08.2017 12:32, Maciej Purski wrote:
> Function sii8620_mt_read_devcap_reg_recv() used to read array index
> from a wrong msg register, which caused writing out of array
> bounds. It led to writing on other fields of struct sii8620.
>
> Signed-off-by: Maciej Purski <m.purski@samsung.com>
> Fixes: e9c6da270 ("drm/bridge/sii8620: add reading device capability
>        registers")
> ---

Queued to drm-misc-fixes.

Regards
Andrzej

>  drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
> index 2d51a22..5131bfb 100644
> --- a/drivers/gpu/drm/bridge/sil-sii8620.c
> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c
> @@ -597,9 +597,9 @@ static void sii8620_mt_read_devcap(struct sii8620 *ctx, bool xdevcap)
>  static void sii8620_mt_read_devcap_reg_recv(struct sii8620 *ctx,
>  		struct sii8620_mt_msg *msg)
>  {
> -	u8 reg = msg->reg[0] & 0x7f;
> +	u8 reg = msg->reg[1] & 0x7f;
>  
> -	if (msg->reg[0] & 0x80)
> +	if (msg->reg[1] & 0x80)
>  		ctx->xdevcap[reg] = msg->ret;
>  	else
>  		ctx->devcap[reg] = msg->ret;

diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
index 2d51a22..5131bfb 100644
--- a/drivers/gpu/drm/bridge/sil-sii8620.c
+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
@@ -597,9 +597,9 @@  static void sii8620_mt_read_devcap(struct sii8620 *ctx, bool xdevcap)
 static void sii8620_mt_read_devcap_reg_recv(struct sii8620 *ctx,
 		struct sii8620_mt_msg *msg)
 {
-	u8 reg = msg->reg[0] & 0x7f;
+	u8 reg = msg->reg[1] & 0x7f;
 
-	if (msg->reg[0] & 0x80)
+	if (msg->reg[1] & 0x80)
 		ctx->xdevcap[reg] = msg->ret;
 	else
 		ctx->devcap[reg] = msg->ret;

drm/bridge/sii8620: Fix memory corruption

Commit Message

Comments

Patch