On Mon, May 25, 2015 at 01:29:44PM +0300, Andrey Ryabinin wrote:
> for_each_*_in_state validate array index after
> access to array elements, thus perform out of bounds read.
>
> Fix this by validating index in the first place and read
> array element iff validation was successful.
>
> Fixes: df63b9994eaf ("drm/atomic: Add
> for_each_{connector,crtc,plane}_in_state helper macros")
> Signed-off-by: Andrey Ryabinin <a.ryabinin at samsung.com>
Merged this for now to handle the regression, but yeah some polish might
be good.
-Daniel
> ---
> include/drm/drm_atomic.h | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
> index c1571034..3f13b91 100644
> --- a/include/drm/drm_atomic.h
> +++ b/include/drm/drm_atomic.h
> @@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit(struct
> drm_atomic_state *state);
>
> #define for_each_connector_in_state(state, connector, connector_state, __i) \
> for ((__i) = 0; \
> - (connector) = (state)->connectors[__i], \
> - (connector_state) = (state)->connector_states[__i], \
> - (__i) < (state)->num_connector; \
> + (__i) < (state)->num_connector && \
> + ((connector) = (state)->connectors[__i], \
> + (connector_state) = (state)->connector_states[__i], 1); \
> (__i)++) \
> if (connector)
>
> #define for_each_crtc_in_state(state, crtc, crtc_state, __i) \
> for ((__i) = 0; \
> - (crtc) = (state)->crtcs[__i], \
> - (crtc_state) = (state)->crtc_states[__i], \
> - (__i) < (state)->dev->mode_config.num_crtc; \
> + (__i) < (state)->dev->mode_config.num_crtc && \
> + ((crtc) = (state)->crtcs[__i], \
> + (crtc_state) = (state)->crtc_states[__i], 1); \
> (__i)++) \
> if (crtc_state)
>
> -#define for_each_plane_in_state(state, plane, plane_state, __i) \
> - for ((__i) = 0; \
> - (plane) = (state)->planes[__i], \
> - (plane_state) = (state)->plane_states[__i], \
> - (__i) < (state)->dev->mode_config.num_total_plane; \
> - (__i)++) \
> +#define for_each_plane_in_state(state, plane, plane_state, __i)
> \
> + for ((__i) = 0; \
> + (__i) < (state)->dev->mode_config.num_total_plane && \
> + ((plane) = (state)->planes[__i], \
> + (plane_state) = (state)->plane_states[__i], 1); \
> + (__i)++) \
> if (plane_state)
>
> #endif /* DRM_ATOMIC_H_ */
> --
> 2.4.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
