Re: [PATCH] drm: fix off-by-one in logger

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Fri, 2018-02-16 at 10:43 +0100, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
> 
> Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
> 
> The full trace is as follows:
> 
> In function ‘memmove’,
>    from ‘append_entry’ at
>         drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
>    from ‘dm_logger_append_va’ at
>         drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
>    detected read beyond size of object passed as 2nd parameter
> 
> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>

That same code exists in a different form in at least 4.15 so

Cc: stable@xxxxxxxxxxxxxxx

> Cc: Alex Deucher <alexander.deucher@xxxxxxx>
> Cc: "Christian König" <christian.koenig@xxxxxxx>
> Cc: "David (ChunMing) Zhou" <David1.Zhou@xxxxxxx>
> Cc: David Airlie <airlied@xxxxxxxx>
> Cc: Harry Wentland <harry.wentland@xxxxxxx>
> Cc: Tony Cheng <tony.cheng@xxxxxxx>
> Cc: Yongqiang Sun <yongqiang.sun@xxxxxxx>
> Cc: Aric Cyr <Aric.Cyr@xxxxxxx>
> Cc: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> Cc: Corbin McElhanney <corbin.mcelhanney@xxxxxxx>
> Cc: Jordan Lazare <Jordan.Lazare@xxxxxxx>
> Cc: Dmytro Laktyushkin <Dmytro.Laktyushkin@xxxxxxx>
> Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx
> Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> 
> ---
>  drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 180a9d6..958070c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -243,7 +243,7 @@ static void log_heading(struct log_entry *entry)
>  
>  static void append_entry(
>  		struct log_entry *entry,
> -		char *buffer,
> +		const char *buffer,
>  		uint32_t buf_size)
>  {
>  	if (!entry->buf ||
> @@ -345,7 +345,9 @@ void dm_logger_append_va(
>  		if (size < LOG_MAX_LINE_SIZE - 1) {
>  			append_entry(entry, buffer, size);
>  		} else {
> -			append_entry(entry, "LOG_ERROR, line too long\n", 27);
> +			static const char msg[] = "LOG_ERROR, line too long\n";
> +
> +			append_entry(entry, msg, sizeof(msg));
>  		}
>  	}
>  }

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]