| Message ID | 20231214123752.v3.2.I7b83c0f31aeedc6b1dc98c7c741d3e1f94f040f8@changeid (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3,1/2] drm/bridge: parade-ps8640: Never store more than msg->size bytes in AUX xfer | expand |
On Thu, Dec 14, 2023 at 12:38 PM Douglas Anderson <dianders@chromium.org> wrote: > > For aux reads, the value `msg->size` indicates the size of the buffer > provided by `msg->buffer`. We should never in any circumstances write > more bytes to the buffer since it may overflow the buffer. > > In the ti-sn65dsi86 driver there is one code path that reads the > transfer length from hardware. Even though it's never been seen to be > a problem, we should make extra sure that the hardware isn't > increasing the length since doing so would cause us to overrun the > buffer. > > Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures") > Signed-off-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> > --- > > (no changes since v2) > > Changes in v2: > - Updated patch subject to match ps8640 patch. > > drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c > index 9095d1453710..62cc3893dca5 100644 > --- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c > @@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, > u32 request_val = AUX_CMD_REQ(msg->request); > u8 *buf = msg->buffer; > unsigned int len = msg->size; > + unsigned int short_len; > unsigned int val; > int ret; > u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG]; > @@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, > } > > if (val & AUX_IRQ_STATUS_AUX_SHORT) { > - ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len); > + ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len); > + len = min(len, short_len); > if (ret) > goto exit; > } else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) { > -- > 2.43.0.472.g3155946c3a-goog >
Quoting Douglas Anderson (2023-12-14 12:37:52) > For aux reads, the value `msg->size` indicates the size of the buffer > provided by `msg->buffer`. We should never in any circumstances write > more bytes to the buffer since it may overflow the buffer. > > In the ti-sn65dsi86 driver there is one code path that reads the > transfer length from hardware. Even though it's never been seen to be > a problem, we should make extra sure that the hardware isn't > increasing the length since doing so would cause us to overrun the > buffer. > > Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures") > Signed-off-by: Douglas Anderson <dianders@chromium.org> > --- Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Hi, On Thu, Dec 14, 2023 at 12:38 PM Douglas Anderson <dianders@chromium.org> wrote: > > For aux reads, the value `msg->size` indicates the size of the buffer > provided by `msg->buffer`. We should never in any circumstances write > more bytes to the buffer since it may overflow the buffer. > > In the ti-sn65dsi86 driver there is one code path that reads the > transfer length from hardware. Even though it's never been seen to be > a problem, we should make extra sure that the hardware isn't > increasing the length since doing so would cause us to overrun the > buffer. > > Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures") > Signed-off-by: Douglas Anderson <dianders@chromium.org> > --- > > (no changes since v2) > > Changes in v2: > - Updated patch subject to match ps8640 patch. > > drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Since the patch fixes a potential crash, has two Reviews (even if they're both from @chromium), and doesn't seem controversial, I didn't want a full week and just landed it in drm-misc-fixes. If anyone is upset by this then please shout and we can revert or I can post a followup patch. Pushed to drm-misc-fixes: aca58eac52b8 drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c index 9095d1453710..62cc3893dca5 100644 --- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c +++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c @@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, u32 request_val = AUX_CMD_REQ(msg->request); u8 *buf = msg->buffer; unsigned int len = msg->size; + unsigned int short_len; unsigned int val; int ret; u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG]; @@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, } if (val & AUX_IRQ_STATUS_AUX_SHORT) { - ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len); + ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len); + len = min(len, short_len); if (ret) goto exit; } else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) {
For aux reads, the value `msg->size` indicates the size of the buffer provided by `msg->buffer`. We should never in any circumstances write more bytes to the buffer since it may overflow the buffer. In the ti-sn65dsi86 driver there is one code path that reads the transfer length from hardware. Even though it's never been seen to be a problem, we should make extra sure that the hardware isn't increasing the length since doing so would cause us to overrun the buffer. Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures") Signed-off-by: Douglas Anderson <dianders@chromium.org> --- (no changes since v2) Changes in v2: - Updated patch subject to match ps8640 patch. drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)