Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Should I resubmit the patch email with correct formatting? MITRE assigned this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability reports? Do I need to email someone else or something(sorry for dumb questions this is my first time doing this and I don't know what to do)?
I am trying to do step 11 from here: https://cve.mitre.org/cve/researcher_reservation_guidelines.

On Tue, Oct 12, 2021 at 3:18 AM Christian König <ckoenig.leichtzumerken@xxxxxxxxx> wrote:
Am 11.10.21 um 22:24 schrieb T. Williams:


---------- Forwarded message ---------
From: docfate111 <tdwilliamsiv@xxxxxxxxx>
Date: Mon, Oct 11, 2021 at 4:22 PM
Subject: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.
To: <dri-devel@xxxxxxxxxxxxxxxxxxxxx>
Cc: <harry.wentland@xxxxxxx>, <sunpeng.li@xxxxxxx>


Signed-off-by: docfate111 <tdwilliamsiv@xxxxxxxxx>

While the find might be correct there are a couple of style problems with the patch.

First of all the subject line must be shorter and should be something like "drm/amdgpu: fix out of bounds write".

The detailed description of the bug then comes into the commit message.

And finally please use your real name for the Signed-off-by line.

Apart from that good catch,
Christian.

---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 87daa78a32b8..17f2756a64dc 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f, const char __user *buf,
        if (!wr_buf)
                return -ENOSPC;

-       if (parse_write_buffer_into_params(wr_buf, size,
+       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
                                           (long *)param, buf,
                                           max_param_num,
                                           &param_nums)) {
--
2.25.1



--
Thank you for your time,
Thelford Williams



--
Thank you for your time,
Thelford Williams

[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux