On Fri, 2018-02-16 at 10:43 +0100, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
>
> Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
>
> The full trace is as follows:
>
> In function â??memmoveâ??,
> Â Â Â from â??append_entryâ?? at
> Â Â Â Â Â Â Â Â drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
> Â Â Â from â??dm_logger_append_vaâ?? at
> Â Â Â Â Â Â Â Â drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
> Â Â Â detected read beyond size of object passed as 2nd parameter
>
> Signed-off-by: Norbert Manthey <nmanthey at amazon.de>
That same code exists in a different form in at least 4.15 so
Cc: stable at vger.kernel.org
> Cc: Alex Deucher <alexander.deucher at amd.com>
> Cc: "Christian König" <christian.koenig at amd.com>
> Cc: "David (ChunMing) Zhou" <David1.Zhou at amd.com>
> Cc: David Airlie <airlied at linux.ie>
> Cc: Harry Wentland <harry.wentland at amd.com>
> Cc: Tony Cheng <tony.cheng at amd.com>
> Cc: Yongqiang Sun <yongqiang.sun at amd.com>
> Cc: Aric Cyr <Aric.Cyr at amd.com>
> Cc: Colin Ian King <colin.king at canonical.com>
> Cc: Corbin McElhanney <corbin.mcelhanney at amd.com>
> Cc: Jordan Lazare <Jordan.Lazare at amd.com>
> Cc: Dmytro Laktyushkin <Dmytro.Laktyushkin at amd.com>
> Cc: amd-gfx at lists.freedesktop.org
> Cc: dri-devel at lists.freedesktop.org
> Cc: linux-kernel at vger.kernel.org
>
> ---
> Â drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
> Â 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 180a9d6..958070c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -243,7 +243,7 @@ static void log_heading(struct log_entry *entry)
> Â
> Â static void append_entry(
> Â struct log_entry *entry,
> - char *buffer,
> + const char *buffer,
> Â uint32_t buf_size)
> Â {
> Â if (!entry->buf ||
> @@ -345,7 +345,9 @@ void dm_logger_append_va(
> Â if (size < LOG_MAX_LINE_SIZE - 1) {
> Â append_entry(entry, buffer, size);
> Â } else {
> - append_entry(entry, "LOG_ERROR, line too long\n", 27);
> + static const char msg[] = "LOG_ERROR, line too long\n";
> +
> + append_entry(entry, msg, sizeof(msg));
> Â }
> Â }
> Â }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/amd-gfx/attachments/20180216/4789bba2/attachment.bin>
