This is a note to let you know that I've just added the patch titled
drm/atomic: fix out of bounds read in for_each_*_in_state helpers
to the 4.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-atomic-fix-out-of-bounds-read-in-for_each_-_in_state-helpers.patch
and it can be found in the queue-4.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 60f207a5b6d8f23c2e8388b415e8d5c7311cc79d Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx>
Date: Mon, 25 May 2015 13:29:44 +0300
Subject: drm/atomic: fix out of bounds read in for_each_*_in_state helpers
From: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx>
commit 60f207a5b6d8f23c2e8388b415e8d5c7311cc79d upstream.
for_each_*_in_state validate array index after
access to array elements, thus perform out of bounds read.
Fix this by validating index in the first place and read
array element iff validation was successful.
Fixes: df63b9994eaf ("drm/atomic: Add for_each_{connector,crtc,plane}_in_state helper macros")
Signed-off-by: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx>
Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/drm/drm_atomic.h | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/include/drm/drm_atomic.h
+++ b/include/drm/drm_atomic.h
@@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit
#define for_each_connector_in_state(state, connector, connector_state, __i) \
for ((__i) = 0; \
- (connector) = (state)->connectors[__i], \
- (connector_state) = (state)->connector_states[__i], \
- (__i) < (state)->num_connector; \
+ (__i) < (state)->num_connector && \
+ ((connector) = (state)->connectors[__i], \
+ (connector_state) = (state)->connector_states[__i], 1); \
(__i)++) \
if (connector)
#define for_each_crtc_in_state(state, crtc, crtc_state, __i) \
for ((__i) = 0; \
- (crtc) = (state)->crtcs[__i], \
- (crtc_state) = (state)->crtc_states[__i], \
- (__i) < (state)->dev->mode_config.num_crtc; \
+ (__i) < (state)->dev->mode_config.num_crtc && \
+ ((crtc) = (state)->crtcs[__i], \
+ (crtc_state) = (state)->crtc_states[__i], 1); \
(__i)++) \
if (crtc_state)
-#define for_each_plane_in_state(state, plane, plane_state, __i) \
- for ((__i) = 0; \
- (plane) = (state)->planes[__i], \
- (plane_state) = (state)->plane_states[__i], \
- (__i) < (state)->dev->mode_config.num_total_plane; \
- (__i)++) \
+#define for_each_plane_in_state(state, plane, plane_state, __i) \
+ for ((__i) = 0; \
+ (__i) < (state)->dev->mode_config.num_total_plane && \
+ ((plane) = (state)->planes[__i], \
+ (plane_state) = (state)->plane_states[__i], 1); \
+ (__i)++) \
if (plane_state)
#endif /* DRM_ATOMIC_H_ */
Patches currently in stable-queue which might be from a.ryabinin@xxxxxxxxxxx are
queue-4.1/drm-atomic-fix-out-of-bounds-read-in-for_each_-_in_state-helpers.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html