[RFC,v3,05/23] drm/vkms: Avoid reading beyond LUT array

Message ID	20231108163647.106853-6-harry.wentland@amd.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C From: Harry Wentland <harry.wentland@amd.com> To: <dri-devel@lists.freedesktop.org> Subject: [RFC PATCH v3 05/23] drm/vkms: Avoid reading beyond LUT array Date: Wed, 8 Nov 2023 11:36:24 -0500 Message-ID: <20231108163647.106853-6-harry.wentland@amd.com> In-Reply-To: <20231108163647.106853-1-harry.wentland@amd.com> References: <20231108163647.106853-1-harry.wentland@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Cc: Arthur Grillo <arthurgrillo@riseup.net>, wayland-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	Color Pipeline API w/ VKMS \| expand [RFC,v3,00/23] Color Pipeline API w/ VKMS [RFC,v3,01/23] drm: Don't treat 0 as -1 in drm_fixp2int_ceil [RFC,v3,02/23] drm: Add helper for conversion from signed-magnitude [RFC,v3,03/23] drm/vkms: Create separate Kconfig file for VKMS [RFC,v3,04/23] drm/vkms: Add kunit tests for VKMS LUT handling [RFC,v3,05/23] drm/vkms: Avoid reading beyond LUT array [RFC,v3,06/23] drm/doc/rfc: Describe why prescriptive color pipeline is needed [RFC,v3,07/23] drm/colorop: Introduce new drm_colorop mode object [RFC,v3,08/23] drm/colorop: Add TYPE property [RFC,v3,09/23] drm/color: Add 1D Curve subtype [RFC,v3,10/23] drm/colorop: Add BYPASS property [RFC,v3,11/23] drm/colorop: Add NEXT property [RFC,v3,12/23] drm/colorop: Add atomic state print for drm_colorop [RFC,v3,13/23] drm/plane: Add COLOR PIPELINE property [RFC,v3,14/23] drm/colorop: Add NEXT to colorop state print [RFC,v3,15/23] drm/vkms: Add enumerated 1D curve colorop [RFC,v3,16/23] drm/vkms: Add kunit tests for linear and sRGB LUTs [RFC,v3,17/23] drm/colorop: Introduce DRM_CLIENT_CAP_PLANE_COLOR_PIPELINE [RFC,v3,18/23] drm/colorop: Add 3x4 CTM type [RFC,v3,19/23] drm/vkms: Pull apply_colorop out of pre_blend_color_transform [RFC,v3,20/23] drm/vkms: Use s32 for internal color pipeline precision [RFC,v3,21/23] drm/vkms: add 3x4 matrix in color pipeline [RFC,v3,22/23] drm/tests: Add a few tests around drm_fixed.h [RFC,v3,23/23] drm/vkms: Add tests for CTM handling

Message ID

20231108163647.106853-6-harry.wentland@amd.com (mailing list archive)

State

New, archived

Headers

Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C
From: Harry Wentland <harry.wentland@amd.com>
To: <dri-devel@lists.freedesktop.org>
Subject: [RFC PATCH v3 05/23] drm/vkms: Avoid reading beyond LUT array
Date: Wed, 8 Nov 2023 11:36:24 -0500
Message-ID: <20231108163647.106853-6-harry.wentland@amd.com>
In-Reply-To: <20231108163647.106853-1-harry.wentland@amd.com>
References: <20231108163647.106853-1-harry.wentland@amd.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2023 16:37:13.0742 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 7a683951-44b5-4a5a-fd5a-08dbe078f603
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d; Ip=[165.204.84.17];
 Helo=[SATLEXMB03.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 BL6PEPF0001AB51.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB9284
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Arthur Grillo <arthurgrillo@riseup.net>,
 wayland-devel@lists.freedesktop.org
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

Color Pipeline API w/ VKMS | expand

Commit Message

Harry Wentland Nov. 8, 2023, 4:36 p.m. UTC

When the floor LUT index (drm_fixp2int(lut_index) is the last
index of the array the ceil LUT index will point to an entry
beyond the array. Make sure we guard against it and use the
value of the floor LUT index.

v3:
 - Drop bits from commit description that didn't contribute
   anything of value

Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Cc: Arthur Grillo <arthurgrillo@riseup.net>
---
 drivers/gpu/drm/vkms/vkms_composer.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Comments

Arthur Grillo Nov. 10, 2023, 12:42 p.m. UTC | #1

On 08/11/23 13:36, Harry Wentland wrote:
> When the floor LUT index (drm_fixp2int(lut_index) is the last
> index of the array the ceil LUT index will point to an entry
> beyond the array. Make sure we guard against it and use the
> value of the floor LUT index.
> 
> v3:
>  - Drop bits from commit description that didn't contribute
>    anything of value
> 
> Signed-off-by: Harry Wentland <harry.wentland@amd.com>
> Cc: Arthur Grillo <arthurgrillo@riseup.net>

LGTM
Reviewed-by: Arthur Grillo <arthurgrillo@riseup.net>

Best Regards,
~Arthur Grillo

> ---
>  drivers/gpu/drm/vkms/vkms_composer.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c
> index 6f942896036e..25b6b73bece8 100644
> --- a/drivers/gpu/drm/vkms/vkms_composer.c
> +++ b/drivers/gpu/drm/vkms/vkms_composer.c
> @@ -123,6 +123,8 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
>  				      enum lut_channel channel)
>  {
>  	s64 lut_index = get_lut_index(lut, channel_value);
> +	u16 *floor_lut_value, *ceil_lut_value;
> +	u16 floor_channel_value, ceil_channel_value;
>  
>  	/*
>  	 * This checks if `struct drm_color_lut` has any gap added by the compiler
> @@ -130,11 +132,15 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
>  	 */
>  	static_assert(sizeof(struct drm_color_lut) == sizeof(__u16) * 4);
>  
> -	u16 *floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> -	u16 *ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
> +	floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> +	if (drm_fixp2int(lut_index) == (lut->lut_length - 1))
> +		/* We're at the end of the LUT array, use same value for ceil and floor */
> +		ceil_lut_value = floor_lut_value;
> +	else
> +		ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
>  
> -	u16 floor_channel_value = floor_lut_value[channel];
> -	u16 ceil_channel_value = ceil_lut_value[channel];
> +	floor_channel_value = floor_lut_value[channel];
> +	ceil_channel_value = ceil_lut_value[channel];
>  
>  	return lerp_u16(floor_channel_value, ceil_channel_value,
>  			lut_index & DRM_FIXED_DECIMAL_MASK);

Melissa Wen Dec. 6, 2023, 12:18 p.m. UTC | #2

On 11/10, Arthur Grillo wrote:
> 
> 
> On 08/11/23 13:36, Harry Wentland wrote:
> > When the floor LUT index (drm_fixp2int(lut_index) is the last
> > index of the array the ceil LUT index will point to an entry
> > beyond the array. Make sure we guard against it and use the
> > value of the floor LUT index.
> > 
> > v3:
> >  - Drop bits from commit description that didn't contribute
> >    anything of value
> > 
> > Signed-off-by: Harry Wentland <harry.wentland@amd.com>
> > Cc: Arthur Grillo <arthurgrillo@riseup.net>
> 
> LGTM
> Reviewed-by: Arthur Grillo <arthurgrillo@riseup.net>

Nice catch. Thanks!

I'll already apply this one to drm-misc-next too.

CC'ing other VKMS maintainers/reviewers.

Melissa

> 
> Best Regards,
> ~Arthur Grillo
> 
> > ---
> >  drivers/gpu/drm/vkms/vkms_composer.c | 14 ++++++++++----
> >  1 file changed, 10 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c
> > index 6f942896036e..25b6b73bece8 100644
> > --- a/drivers/gpu/drm/vkms/vkms_composer.c
> > +++ b/drivers/gpu/drm/vkms/vkms_composer.c
> > @@ -123,6 +123,8 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
> >  				      enum lut_channel channel)
> >  {
> >  	s64 lut_index = get_lut_index(lut, channel_value);
> > +	u16 *floor_lut_value, *ceil_lut_value;
> > +	u16 floor_channel_value, ceil_channel_value;
> >  
> >  	/*
> >  	 * This checks if `struct drm_color_lut` has any gap added by the compiler
> > @@ -130,11 +132,15 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
> >  	 */
> >  	static_assert(sizeof(struct drm_color_lut) == sizeof(__u16) * 4);
> >  
> > -	u16 *floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> > -	u16 *ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
> > +	floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> > +	if (drm_fixp2int(lut_index) == (lut->lut_length - 1))
> > +		/* We're at the end of the LUT array, use same value for ceil and floor */
> > +		ceil_lut_value = floor_lut_value;
> > +	else
> > +		ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
> >  
> > -	u16 floor_channel_value = floor_lut_value[channel];
> > -	u16 ceil_channel_value = ceil_lut_value[channel];
> > +	floor_channel_value = floor_lut_value[channel];
> > +	ceil_channel_value = ceil_lut_value[channel];
> >  
> >  	return lerp_u16(floor_channel_value, ceil_channel_value,
> >  			lut_index & DRM_FIXED_DECIMAL_MASK);

Melissa Wen Dec. 6, 2023, 1:15 p.m. UTC | #3

On 12/06, Melissa Wen wrote:
> On 11/10, Arthur Grillo wrote:
> > 
> > 
> > On 08/11/23 13:36, Harry Wentland wrote:
> > > When the floor LUT index (drm_fixp2int(lut_index) is the last
> > > index of the array the ceil LUT index will point to an entry
> > > beyond the array. Make sure we guard against it and use the
> > > value of the floor LUT index.
> > > 
> > > v3:
> > >  - Drop bits from commit description that didn't contribute
> > >    anything of value
> > > 
> > > Signed-off-by: Harry Wentland <harry.wentland@amd.com>
> > > Cc: Arthur Grillo <arthurgrillo@riseup.net>
> > 
> > LGTM
> > Reviewed-by: Arthur Grillo <arthurgrillo@riseup.net>
> 
> Nice catch. Thanks!
> 
> I'll already apply this one to drm-misc-next too.

It's a reminder to myself to add the missing fixes tag:

Fixes: db1f254f2cfaf ("drm/vkms: Add support to 1D gamma LUT")
Reviewed-by: Melissa Wen <mwen@igalia.com>
> 
> CC'ing other VKMS maintainers/reviewers.
> 
> Melissa
> 
> > 
> > Best Regards,
> > ~Arthur Grillo
> > 
> > > ---
> > >  drivers/gpu/drm/vkms/vkms_composer.c | 14 ++++++++++----
> > >  1 file changed, 10 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c
> > > index 6f942896036e..25b6b73bece8 100644
> > > --- a/drivers/gpu/drm/vkms/vkms_composer.c
> > > +++ b/drivers/gpu/drm/vkms/vkms_composer.c
> > > @@ -123,6 +123,8 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
> > >  				      enum lut_channel channel)
> > >  {
> > >  	s64 lut_index = get_lut_index(lut, channel_value);
> > > +	u16 *floor_lut_value, *ceil_lut_value;
> > > +	u16 floor_channel_value, ceil_channel_value;
> > >  
> > >  	/*
> > >  	 * This checks if `struct drm_color_lut` has any gap added by the compiler
> > > @@ -130,11 +132,15 @@ static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
> > >  	 */
> > >  	static_assert(sizeof(struct drm_color_lut) == sizeof(__u16) * 4);
> > >  
> > > -	u16 *floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> > > -	u16 *ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
> > > +	floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
> > > +	if (drm_fixp2int(lut_index) == (lut->lut_length - 1))
> > > +		/* We're at the end of the LUT array, use same value for ceil and floor */
> > > +		ceil_lut_value = floor_lut_value;
> > > +	else
> > > +		ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
> > >  
> > > -	u16 floor_channel_value = floor_lut_value[channel];
> > > -	u16 ceil_channel_value = ceil_lut_value[channel];
> > > +	floor_channel_value = floor_lut_value[channel];
> > > +	ceil_channel_value = ceil_lut_value[channel];
> > >  
> > >  	return lerp_u16(floor_channel_value, ceil_channel_value,
> > >  			lut_index & DRM_FIXED_DECIMAL_MASK);

diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c
index 6f942896036e..25b6b73bece8 100644
--- a/drivers/gpu/drm/vkms/vkms_composer.c
+++ b/drivers/gpu/drm/vkms/vkms_composer.c
@@ -123,6 +123,8 @@  static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
 				      enum lut_channel channel)
 {
 	s64 lut_index = get_lut_index(lut, channel_value);
+	u16 *floor_lut_value, *ceil_lut_value;
+	u16 floor_channel_value, ceil_channel_value;
 
 	/*
 	 * This checks if `struct drm_color_lut` has any gap added by the compiler
@@ -130,11 +132,15 @@  static u16 apply_lut_to_channel_value(const struct vkms_color_lut *lut, u16 chan
 	 */
 	static_assert(sizeof(struct drm_color_lut) == sizeof(__u16) * 4);
 
-	u16 *floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
-	u16 *ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
+	floor_lut_value = (__u16 *)&lut->base[drm_fixp2int(lut_index)];
+	if (drm_fixp2int(lut_index) == (lut->lut_length - 1))
+		/* We're at the end of the LUT array, use same value for ceil and floor */
+		ceil_lut_value = floor_lut_value;
+	else
+		ceil_lut_value = (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
 
-	u16 floor_channel_value = floor_lut_value[channel];
-	u16 ceil_channel_value = ceil_lut_value[channel];
+	floor_channel_value = floor_lut_value[channel];
+	ceil_channel_value = ceil_lut_value[channel];
 
 	return lerp_u16(floor_channel_value, ceil_channel_value,
 			lut_index & DRM_FIXED_DECIMAL_MASK);

[RFC,v3,05/23] drm/vkms: Avoid reading beyond LUT array

Commit Message

Comments

Patch