On 2021-10-27 09:47, Harry Wentland wrote:
>
>
> On 2021-10-27 09:03, Patrik Jakobsson wrote:
>> CVE-2021-42327 was fixed by:
>>
>> commit f23750b5b3d98653b31d4469592935ef6364ad67
>> Author: Thelford Williams <tdwilliamsiv@xxxxxxxxx>
>> Date: Wed Oct 13 16:04:13 2021 -0400
>>
>> drm/amdgpu: fix out of bounds write
>>
>> but amdgpu_dm_debugfs.c contains more of the same issue so fix the
>> remaining ones.
>>
>> Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
>> Signed-off-by: Patrik Jakobsson <pjakobsson@xxxxxxx>
>> ---
>> .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
>> 1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 1a68a674913c..33bdf15febc6 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -491,7 +491,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf,
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -643,7 +643,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -918,7 +918,7 @@ static ssize_t dp_dsc_passthrough_set(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> ¶m, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1215,7 +1215,7 @@ static ssize_t trigger_hotplug(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1400,7 +1400,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1585,7 +1585,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1770,7 +1770,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> @@ -1948,7 +1948,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
>> return -ENOSPC;
>> }
>>
>> - if (parse_write_buffer_into_params(wr_buf, size,
>> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>>
>
>
> Thanks. This looks good but you seem to be missing another
> instance of this in dp_max_bpc_write.
>
This patch is
Reviewed-by: Harry Wentland <harry.wentland@xxxxxxx>
I'll send a follow-up for dp_max_bpc_write.
Harry
> We'll also want to Linus's suggestion in [1] but I can post
> another patch for that.
>
> https://lkml.org/lkml/2021/10/26/993>>
> Harry
>
