Message ID | tencent_6CDB3D2D9BB1A93DCB856F2AD38C59F93F05@qq.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | drm/amd/display: fix a possible NULL pointer dereference in bios_parser_get_src_obj() | expand |
On Mon, Oct 19, 2020 at 8:38 AM estherbdf <603571786@qq.com> wrote: > > [Why] the func bios_parser_get_src_obj () is similar to bios_parser_get_dst_obj () which is fixed by the commit<a8f976473196>("drm/amd/display: Banch of smatch error and warning fixes in DC"). > the symbol 'id' is uninitialized and it is not checked before dereference it,may lead to null pointer dereference. > [How] Initialized variable explicitly with NULL and add sanitizer. I think the current code is safe as is. get_src_obj_list() will return 0 if *id_list is NULL and bios_parser_get_src_obj() checks if number <= index. Alex > > Signed-off-by: estherbdf <603571786@qq.com> > --- > drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c > index 008d4d1..94c6cca 100644 > --- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c > +++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c > @@ -190,7 +190,7 @@ static enum bp_result bios_parser_get_src_obj(struct dc_bios *dcb, > struct graphics_object_id *src_object_id) > { > uint32_t number; > - uint16_t *id; > + uint16_t *id = NULL; > ATOM_OBJECT *object; > struct bios_parser *bp = BP_FROM_DCB(dcb); > > @@ -206,7 +206,7 @@ static enum bp_result bios_parser_get_src_obj(struct dc_bios *dcb, > > number = get_src_obj_list(bp, object, &id); > > - if (number <= index) > + if (number <= index || !id) > return BP_RESULT_BADINPUT; > > *src_object_id = object_id_from_bios_object_id(id[index]); > -- > 1.9.1 > > > _______________________________________________ > amd-gfx mailing list > amd-gfx@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/amd-gfx
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c index 008d4d1..94c6cca 100644 --- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c @@ -190,7 +190,7 @@ static enum bp_result bios_parser_get_src_obj(struct dc_bios *dcb, struct graphics_object_id *src_object_id) { uint32_t number; - uint16_t *id; + uint16_t *id = NULL; ATOM_OBJECT *object; struct bios_parser *bp = BP_FROM_DCB(dcb); @@ -206,7 +206,7 @@ static enum bp_result bios_parser_get_src_obj(struct dc_bios *dcb, number = get_src_obj_list(bp, object, &id); - if (number <= index) + if (number <= index || !id) return BP_RESULT_BADINPUT; *src_object_id = object_id_from_bios_object_id(id[index]);
[Why] the func bios_parser_get_src_obj () is similar to bios_parser_get_dst_obj () which is fixed by the commit<a8f976473196>("drm/amd/display: Banch of smatch error and warning fixes in DC"). the symbol 'id' is uninitialized and it is not checked before dereference it,may lead to null pointer dereference. [How] Initialized variable explicitly with NULL and add sanitizer. Signed-off-by: estherbdf <603571786@qq.com> --- drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)