Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.

T. Williams Tue, 12 Oct 2021 13:45:40 -0700

Should I resubmit the patch email with correct formatting? MITRE assigned
this bug as CVE-2021-42327. Does AMD/kernel do public vulnerability
reports? Do I need to email someone else or something(sorry for dumb
questions this is my first time doing this and I don't know what to do)?
I am trying to do step 11 from here:
https://cve.mitre.org/cve/researcher_reservation_guidelines.


On Tue, Oct 12, 2021 at 3:18 AM Christian König <
ckoenig.leichtzumer...@gmail.com> wrote:

> Am 11.10.21 um 22:24 schrieb T. Williams:
>
>
>
> ---------- Forwarded message ---------
> From: docfate111 <tdwilliam...@gmail.com>
> Date: Mon, Oct 11, 2021 at 4:22 PM
> Subject: [PATCH] Size can be any value and is user controlled resulting in
> overwriting the 40 byte array wr_buf with an arbitrary length of data from
> buf.
> To: <dri-de...@lists.freedesktop.org>
> Cc: <harry.wentl...@amd.com>, <sunpeng...@amd.com>
>
>
> Signed-off-by: docfate111 <tdwilliam...@gmail.com>
>
>
> While the find might be correct there are a couple of style problems with
> the patch.
>
> First of all the subject line must be shorter and should be something like
> "drm/amdgpu: fix out of bounds write".
>
> The detailed description of the bug then comes into the commit message.
>
> And finally please use your real name for the Signed-off-by line.
>
> Apart from that good catch,
> Christian.
>
> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> const char __user *buf,
>         if (!wr_buf)
>                 return -ENOSPC;
>
> -       if (parse_write_buffer_into_params(wr_buf, size,
> +       if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>                                            (long *)param, buf,
>                                            max_param_num,
>                                            &param_nums)) {
> --
> 2.25.1
>
>
>
> --
> Thank you for your time,
> Thelford Williams
>
>
>

-- 
Thank you for your time,
Thelford Williams

Re: Fwd: [PATCH] Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf.

Reply via email to