Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752080AbbEYK35 (ORCPT ); Mon, 25 May 2015 06:29:57 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:31192 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751199AbbEYK34 (ORCPT ); Mon, 25 May 2015 06:29:56 -0400 X-AuditID: cbfec7f4-f79c56d0000012ee-b2-5562f9a1f2c5 From: Andrey Ryabinin To: David Airlie Cc: Ander Conselvan de Oliveira , Andrey Ryabinin , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drm/atomic: fix out of bounds read in for_each_*_in_state helpers Date: Mon, 25 May 2015 13:29:44 +0300 Message-id: <1432549784-21966-1-git-send-email-a.ryabinin@samsung.com> X-Mailer: git-send-email 2.4.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAJMWRmVeSWpSXmKPExsVy+t/xq7oLfyaFGnT9MLPY9usRm0XvuZNM FvvOtLFYXPn6ns3i8q45bA6sHov3vGTy2P7tAavH/e7jTB59W1YxenzeJBfAGsVlk5Kak1mW WqRvl8CVsWHNB6aCP4IV8y+LNDD+5+1i5OSQEDCReDR9ITOELSZx4d56ti5GLg4hgaWMEtc3 NLNDOE1MEqu/bGQHqWIT0JP4N2s7G4gtIqAscfvxcrA4s8AWRokN561BbGGBEIlf394C1XBw sAioSrx8oA8S5hVwk7i35Bk7xDI5icfn9rJPYORewMiwilE0tTS5oDgpPddQrzgxt7g0L10v OT93EyMkHL7sYFx8zOoQowAHoxIP74aspFAh1sSy4srcQ4wSHMxKIrwTvwGFeFMSK6tSi/Lj i0pzUosPMUpzsCiJ887d9T5ESCA9sSQ1OzW1ILUIJsvEwSnVwCipU+p0vSO6S7VcT7Cyqf34 4ei+az9nNC9z9X4t23VFd3YG4x676SpFh9Qems5bZrDmuX3Np/bZfZl8RS9WJSzeVPTXL/Pn 7Du1PrefnTPt1M1r0P42y85Ad8revRsK2c9//xr24XNvruHJnUuftv9of/9tBYO7xozF+13L LY2XqNszTzofuE+JpTgj0VCLuag4EQCrmtWtAwIAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2487 Lines: 63 for_each_*_in_state validate array index after access to array elements, thus perform out of bounds read. Fix this by validating index in the first place and read array element iff validation was successful. Fixes: df63b9994eaf ("drm/atomic: Add for_each_{connector,crtc,plane}_in_state helper macros") Signed-off-by: Andrey Ryabinin --- include/drm/drm_atomic.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h index c1571034..3f13b91 100644 --- a/include/drm/drm_atomic.h +++ b/include/drm/drm_atomic.h @@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit(struct drm_atomic_state *state); #define for_each_connector_in_state(state, connector, connector_state, __i) \ for ((__i) = 0; \ - (connector) = (state)->connectors[__i], \ - (connector_state) = (state)->connector_states[__i], \ - (__i) < (state)->num_connector; \ + (__i) < (state)->num_connector && \ + ((connector) = (state)->connectors[__i], \ + (connector_state) = (state)->connector_states[__i], 1); \ (__i)++) \ if (connector) #define for_each_crtc_in_state(state, crtc, crtc_state, __i) \ for ((__i) = 0; \ - (crtc) = (state)->crtcs[__i], \ - (crtc_state) = (state)->crtc_states[__i], \ - (__i) < (state)->dev->mode_config.num_crtc; \ + (__i) < (state)->dev->mode_config.num_crtc && \ + ((crtc) = (state)->crtcs[__i], \ + (crtc_state) = (state)->crtc_states[__i], 1); \ (__i)++) \ if (crtc_state) -#define for_each_plane_in_state(state, plane, plane_state, __i) \ - for ((__i) = 0; \ - (plane) = (state)->planes[__i], \ - (plane_state) = (state)->plane_states[__i], \ - (__i) < (state)->dev->mode_config.num_total_plane; \ - (__i)++) \ +#define for_each_plane_in_state(state, plane, plane_state, __i) \ + for ((__i) = 0; \ + (__i) < (state)->dev->mode_config.num_total_plane && \ + ((plane) = (state)->planes[__i], \ + (plane_state) = (state)->plane_states[__i], 1); \ + (__i)++) \ if (plane_state) #endif /* DRM_ATOMIC_H_ */ -- 2.4.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/