Message ID | 20171209063759.GA8672@embeddedor.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi Zhenyu, Quoting Zhenyu Wang <zhenyuw@linux.intel.com>: > On 2017.12.09 00:37:59 -0600, Gustavo A. R. Silva wrote: >> In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge >> number as fmt is of type u32, hence there is an out-of-bounds read when >> using fmt as an index for array skl_pixel_formats at line 225: >> plane->bpp = skl_pixel_formats[fmt].bpp; >> >> Fix this by comparing the value returned by function skl_format_to_drm >> against the size of array skl_pixel_formats, so in case it is greater than >> or equal to the number of items contained in skl_pixel_formats, print an >> error message and return -EINVAL. >> >> Addresses-Coverity-ID: 1462495 >> Addresses-Coverity-ID: 1462502 ("Out-of-bounds read") >> Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support") >> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> >> --- >> drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c >> b/drivers/gpu/drm/i915/gvt/fb_decoder.c >> index 72f4217..aed578b 100644 >> --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c >> +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c >> @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct >> intel_vgpu *vgpu, >> val & PLANE_CTL_ORDER_RGBX, >> val & PLANE_CTL_ALPHA_MASK, >> val & PLANE_CTL_YUV422_ORDER_MASK); >> + >> + if (fmt >= ARRAY_SIZE(skl_pixel_formats)) { >> + gvt_vgpu_err("Out-of-bounds pixel format index\n"); >> + return -EINVAL; >> + } >> + >> plane->bpp = skl_pixel_formats[fmt].bpp; >> plane->drm_format = skl_pixel_formats[fmt].drm_format; >> } else { >> -- > > Applied this, thanks! > Glad to help. :) Thanks -- Gustavo A. R. Silva
diff --git a/drivers/gpu/drm/i915/gvt/fb_decoder.c b/drivers/gpu/drm/i915/gvt/fb_decoder.c index 72f4217..aed578b 100644 --- a/drivers/gpu/drm/i915/gvt/fb_decoder.c +++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c @@ -222,6 +222,12 @@ int intel_vgpu_decode_primary_plane(struct intel_vgpu *vgpu, val & PLANE_CTL_ORDER_RGBX, val & PLANE_CTL_ALPHA_MASK, val & PLANE_CTL_YUV422_ORDER_MASK); + + if (fmt >= ARRAY_SIZE(skl_pixel_formats)) { + gvt_vgpu_err("Out-of-bounds pixel format index\n"); + return -EINVAL; + } + plane->bpp = skl_pixel_formats[fmt].bpp; plane->drm_format = skl_pixel_formats[fmt].drm_format; } else {
In case function skl_format_to_drm returns -EINVAL, fmt turns into a huge number as fmt is of type u32, hence there is an out-of-bounds read when using fmt as an index for array skl_pixel_formats at line 225: plane->bpp = skl_pixel_formats[fmt].bpp; Fix this by comparing the value returned by function skl_format_to_drm against the size of array skl_pixel_formats, so in case it is greater than or equal to the number of items contained in skl_pixel_formats, print an error message and return -EINVAL. Addresses-Coverity-ID: 1462495 Addresses-Coverity-ID: 1462502 ("Out-of-bounds read") Fixes: 9f31d1063b43 ("drm/i915/gvt: Add framebuffer decoder support") Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> --- drivers/gpu/drm/i915/gvt/fb_decoder.c | 6 ++++++ 1 file changed, 6 insertions(+)