Re: [PATCH] drm: fix off-by-one in logger

Fri, 16 Feb 2018 04:38:01 -0800 


On Fri, 2018-02-16 at 10:43 +0100, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
> 
> Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
> 
> The full trace is as follows:
> 
> In function ‘memmove’,
>    from ‘append_entry’ at
>         drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
>    from ‘dm_logger_append_va’ at
>         drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
>    detected read beyond size of object passed as 2nd parameter
> 
> Signed-off-by: Norbert Manthey <[email protected]>

That same code exists in a different form in at least 4.15 so

Cc: [email protected]

> Cc: Alex Deucher <[email protected]>
> Cc: "Christian König" <[email protected]>
> Cc: "David (ChunMing) Zhou" <[email protected]>
> Cc: David Airlie <[email protected]>
> Cc: Harry Wentland <[email protected]>
> Cc: Tony Cheng <[email protected]>
> Cc: Yongqiang Sun <[email protected]>
> Cc: Aric Cyr <[email protected]>
> Cc: Colin Ian King <[email protected]>
> Cc: Corbin McElhanney <[email protected]>
> Cc: Jordan Lazare <[email protected]>
> Cc: Dmytro Laktyushkin <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> 
> ---
>  drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c 
> b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 180a9d6..958070c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -243,7 +243,7 @@ static void log_heading(struct log_entry *entry)
>  
>  static void append_entry(
>               struct log_entry *entry,
> -             char *buffer,
> +             const char *buffer,
>               uint32_t buf_size)
>  {
>       if (!entry->buf ||
> @@ -345,7 +345,9 @@ void dm_logger_append_va(
>               if (size < LOG_MAX_LINE_SIZE - 1) {
>                       append_entry(entry, buffer, size);
>               } else {
> -                     append_entry(entry, "LOG_ERROR, line too long\n", 27);
> +                     static const char msg[] = "LOG_ERROR, line too long\n";
> +
> +                     append_entry(entry, msg, sizeof(msg));
>               }
>       }
>  }

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dri-devel mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Reply via email to