Hi,
Static analysis with Coverity has detected a potential issue with
function validate_bksv in
drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c with recent
commit:
commit ed9d8e2bcb003ec94658cafe9b1bb3960e2139ec
Author: Bhawanpreet Lakha <Bhawanpreet.Lakha@xxxxxxx>
Date: Tue Aug 6 17:52:01 2019 -0400
drm/amd/display: Add HDCP module
The analysis is as follows:
28 static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp)
29 {
CID 89852 (#1 of 1): Out-of-bounds read (OVERRUN)
1. overrun-local:
Overrunning array of 5 bytes at byte offset 7 by dereferencing pointer
(uint64_t *)hdcp->auth.msg.hdcp1.bksv.
30 uint64_t n = *(uint64_t *)hdcp->auth.msg.hdcp1.bksv;
31 uint8_t count = 0;
32
33 while (n) {
34 count++;
35 n &= (n - 1);
36 }
hdcp->auth.msg.hdcp1.bksv is an array of 5 uint8_t as defined in
drivers/gpu/drm/amd/display/modules/hdcp/hdcp.h as follows:
struct mod_hdcp_message_hdcp1 {
uint8_t an[8];
uint8_t aksv[5];
uint8_t ainfo;
uint8_t bksv[5];
uint16_t r0p;
uint8_t bcaps;
uint16_t bstatus;
uint8_t ksvlist[635];
uint16_t ksvlist_size;
uint8_t vp[20];
uint16_t binfo_dp;
};
variable n is going to contain the contains of r0p and bcaps. I'm not
sure if that is intentional. If not, then the count is going to be
incorrect if these are non-zero.
Colin
_______________________________________________
amd-gfx mailing list
amd-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
