Reviewed-by: Roman Li <roman.li@xxxxxxx>
> -----Original Message-----
> From: SHANMUGAM, SRINIVASAN <SRINIVASAN.SHANMUGAM@xxxxxxx>
> Sent: Wednesday, February 21, 2024 11:37 PM
> To: Siqueira, Rodrigo <Rodrigo.Siqueira@xxxxxxx>; Pillai, Aurabindo
> <Aurabindo.Pillai@xxxxxxx>; Chung, ChiaHsuan (Tom)
> <ChiaHsuan.Chung@xxxxxxx>; Li, Roman <Roman.Li@xxxxxxx>
> Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@xxxxxxx>; Zhuo, Lillian
> <Qingqing.Zhuo@xxxxxxx>
> Subject: [PATCH v3] drm/amd/display: Prevent potential buffer overflow in
> map_hw_resources
>
> Adds a check in the map_hw_resources function to prevent a potential buffer
> overflow. The function was accessing arrays using an index that could
> potentially be greater than the size of the arrays, leading to a buffer overflow.
>
> Adds a check to ensure that the index is within the bounds of the arrays. If the
> index is out of bounds, an error message is printed and break it will continue
> execution with just ignoring extra data early to prevent the buffer overflow.
>
> Reported by smatch:
> drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79
> map_hw_resources() error: buffer overflow 'dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7
> drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81
> map_hw_resources() error: buffer overflow 'dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7
>
> Fixes: 482ce89eec1b ("drm/amd/display: Introduce DML2")
> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@xxxxxxx>
> Cc: Roman Li <roman.li@xxxxxxx>
> Cc: Qingqing Zhuo <Qingqing.Zhuo@xxxxxxx>
> Cc: Aurabindo Pillai <aurabindo.pillai@xxxxxxx>
> Cc: Tom Chung <chiahsuan.chung@xxxxxxx>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@xxxxxxx>
> ---
> v3:
> - s/return/break as return may leave the system in a bad state
>
> drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> index 26307e599614..2a58a7687bdb 100644
> --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
> @@ -76,6 +76,11 @@ static void map_hw_resources(struct dml2_context
> *dml2,
> in_out_display_cfg->hw.DLGRefClkFreqMHz = 50;
> }
> for (j = 0; j < mode_support_info->DPPPerSurface[i]; j++) {
> + if (i >=
> __DML2_WRAPPER_MAX_STREAMS_PLANES__) {
> + dml_print("DML::%s: Index out of bounds:
> i=%d, __DML2_WRAPPER_MAX_STREAMS_PLANES__=%d\n",
> + __func__, i,
> __DML2_WRAPPER_MAX_STREAMS_PLANES__);
> + break;
> + }
> dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id[num_pip
> es] = dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id[i];
> dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id_valid[nu
> m_pipes] = true;
> dml2-
> >v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_plane_id[num_pipe
> s] = dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id[i];
> --
> 2.34.1
