On Fri, 2018-02-16 at 10:43 +0100, Norbert Manthey wrote: > The current implementation will leak a byte to the log via memmove. The > specified 27 bytes are off-by-one, as the payload is 25 bytes, and the > termination character is only one byte large. To avoid this, factor out > the error message, and furthermore make the second parameter of the > append_entry function const. > > Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)") > > The full trace is as follows: > > In function ‘memmove’, > from ‘append_entry’ at > drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2, > from ‘dm_logger_append_va’ at > drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4 > detected read beyond size of object passed as 2nd parameter > > Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx> That same code exists in a different form in at least 4.15 so Cc: stable@xxxxxxxxxxxxxxx > Cc: Alex Deucher <alexander.deucher@xxxxxxx> > Cc: "Christian König" <christian.koenig@xxxxxxx> > Cc: "David (ChunMing) Zhou" <David1.Zhou@xxxxxxx> > Cc: David Airlie <airlied@xxxxxxxx> > Cc: Harry Wentland <harry.wentland@xxxxxxx> > Cc: Tony Cheng <tony.cheng@xxxxxxx> > Cc: Yongqiang Sun <yongqiang.sun@xxxxxxx> > Cc: Aric Cyr <Aric.Cyr@xxxxxxx> > Cc: Colin Ian King <colin.king@xxxxxxxxxxxxx> > Cc: Corbin McElhanney <corbin.mcelhanney@xxxxxxx> > Cc: Jordan Lazare <Jordan.Lazare@xxxxxxx> > Cc: Dmytro Laktyushkin <Dmytro.Laktyushkin@xxxxxxx> > Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx > Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx > Cc: linux-kernel@xxxxxxxxxxxxxxx > > --- > drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c > index 180a9d6..958070c 100644 > --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c > +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c > @@ -243,7 +243,7 @@ static void log_heading(struct log_entry *entry) > > static void append_entry( > struct log_entry *entry, > - char *buffer, > + const char *buffer, > uint32_t buf_size) > { > if (!entry->buf || > @@ -345,7 +345,9 @@ void dm_logger_append_va( > if (size < LOG_MAX_LINE_SIZE - 1) { > append_entry(entry, buffer, size); > } else { > - append_entry(entry, "LOG_ERROR, line too long\n", 27); > + static const char msg[] = "LOG_ERROR, line too long\n"; > + > + append_entry(entry, msg, sizeof(msg)); > } > } > }
Attachment:
smime.p7s
Description: S/MIME cryptographic signature