From patchwork Mon Jul 22 14:38:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Ser X-Patchwork-Id: 11052551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9ED2C1398 for ; Mon, 22 Jul 2019 14:38:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8C26720072 for ; Mon, 22 Jul 2019 14:38:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 80BE5262AE; Mon, 22 Jul 2019 14:38:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 19D3020072 for ; Mon, 22 Jul 2019 14:38:42 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 34ED589913; Mon, 22 Jul 2019 14:38:41 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch [185.70.40.132]) by gabe.freedesktop.org (Postfix) with ESMTPS id 32DDB89913 for ; Mon, 22 Jul 2019 14:38:40 +0000 (UTC) Date: Mon, 22 Jul 2019 14:38:34 +0000 To: dri-devel@lists.freedesktop.org From: Simon Ser Subject: [PATCH] drm: fix out-of-bounds access with short VSDB blocks Message-ID: Feedback-ID: FsVprHBOgyvh0T8bxcZ0CmvJCosWkwVUg658e_lOUQMnA9qynD8O1lGeniuBDfPSkDAUuhiKfOIXUZBfarMyvA==:Ext:ProtonMail MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail; t=1563806317; bh=gF5AVJ06iLehcqvhoe1pzYx/ymZ7c1phxxZ+5dcbZnA=; h=Date:To:From:Cc:Reply-To:Subject:Feedback-ID:From; b=JWyJ2i3acYrZsQwsu29J2bUZn7aDVdYuZRfhSRZjyxH+tWDmf8oSZ+4wIcdkxBzJw Nt3uw5AdFlmMF3aZcgujDCIkx2oZ9B6wgxzRDMiRJw6HhUyw1DB36kwrCMVZRhIRDL t3NLnAEmGxbLLxwZFIvtgKQJ5myDyQNp0T/mjclg= X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Simon Ser Cc: Simon Ser Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Simon Ser The VSDB parsing code contains a few len >= N checks, accessing db[N] on success. However if len == N, db[N] is out-of-bounds. This commit changes the checks to test for len > N. Signed-off-by: Simon Ser Signed-off-by: Simon Ser --- drivers/gpu/drm/drm_edid.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) -- 2.22.0 diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c index 82a4ceed3fcf..13d632f14172 100644 --- a/drivers/gpu/drm/drm_edid.c +++ b/drivers/gpu/drm/drm_edid.c @@ -3569,7 +3569,7 @@ do_hdmi_vsdb_modes(struct drm_connector *connector, const u8 *db, u8 len, vic_len = db[8 + offset] >> 5; hdmi_3d_len = db[8 + offset] & 0x1f; - for (i = 0; i < vic_len && len >= (9 + offset + i); i++) { + for (i = 0; i < vic_len && len > (9 + offset + i); i++) { u8 vic; vic = db[9 + offset + i]; @@ -3971,11 +3971,11 @@ drm_parse_hdr_metadata_block(struct drm_connector *connector, const u8 *db) connector->hdr_sink_metadata.hdmi_type1.metadata_type = hdr_metadata_type(db); - if (len >= 4) + if (len > 4) connector->hdr_sink_metadata.hdmi_type1.max_cll = db[4]; - if (len >= 5) + if (len > 5) connector->hdr_sink_metadata.hdmi_type1.max_fall = db[5]; - if (len >= 6) + if (len > 6) connector->hdr_sink_metadata.hdmi_type1.min_cll = db[6]; } @@ -3984,19 +3984,19 @@ drm_parse_hdmi_vsdb_audio(struct drm_connector *connector, const u8 *db) { u8 len = cea_db_payload_len(db); - if (len >= 6 && (db[6] & (1 << 7))) + if (len > 6 && (db[6] & (1 << 7))) connector->eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_SUPPORTS_AI; - if (len >= 8) { + if (len > 8) { connector->latency_present[0] = db[8] >> 7; connector->latency_present[1] = (db[8] >> 6) & 1; } - if (len >= 9) + if (len > 9) connector->video_latency[0] = db[9]; - if (len >= 10) + if (len > 10) connector->audio_latency[0] = db[10]; - if (len >= 11) + if (len > 11) connector->video_latency[1] = db[11]; - if (len >= 12) + if (len > 12) connector->audio_latency[1] = db[12]; DRM_DEBUG_KMS("HDMI: latency present %d %d, " @@ -4559,9 +4559,9 @@ drm_parse_hdmi_vsdb_video(struct drm_connector *connector, const u8 *db) struct drm_display_info *info = &connector->display_info; u8 len = cea_db_payload_len(db); - if (len >= 6) + if (len > 6) info->dvi_dual = db[6] & 1; - if (len >= 7) + if (len > 7) info->max_tmds_clock = db[7] * 5000; DRM_DEBUG_KMS("HDMI: DVI dual %d, "