Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751154AbbEYN0E (ORCPT ); Mon, 25 May 2015 09:26:04 -0400 Received: from mailout2.w1.samsung.com ([210.118.77.12]:43117 "EHLO mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750800AbbEYN0B (ORCPT ); Mon, 25 May 2015 09:26:01 -0400 X-AuditID: cbfec7f5-f794b6d000001495-7b-556322e78593 Message-id: <556322E6.3020500@samsung.com> Date: Mon, 25 May 2015 16:25:58 +0300 From: Andrey Ryabinin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-version: 1.0 To: Jani Nikula , David Airlie Cc: Ander Conselvan de Oliveira , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/atomic: fix out of bounds read in for_each_*_in_state helpers References: <1432549784-21966-1-git-send-email-a.ryabinin@samsung.com> <87oal8iyxh.fsf@intel.com> In-reply-to: <87oal8iyxh.fsf@intel.com> Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPLMWRmVeSWpSXmKPExsVy+t/xy7rPlZJDDbbOELXoPXeSyWLfmTYW iytf37NZLL+8ntHi8q45bA6sHov3vGTy2P7tAavHvJOBHve7jzN5fN4kF8AaxWWTkpqTWZZa pG+XwJVxt+c/e8EE3orFl66yNDA+5epi5OSQEDCROHl8CxOELSZx4d56ti5GLg4hgaWMEn9X nWSFcL4DOVcvAmU4OHgFtCR+3tcGaWARUJVoXXESrJlNQE/i36ztbCC2qECExNvLEHFeAUGJ H5PvsYC0igj4Sbw9wwQyklmgg1Fi2ewL7CA1wkD1H1ZOAasREkiWmPK9GiTMKaAucaHlCQuI zQw0/tO9m+wQtrzE5jVvmScwCsxCsmEWkrJZSMoWMDKvYhRNLU0uKE5KzzXSK07MLS7NS9dL zs/dxAgJ5q87GJceszrEKMDBqMTDG5GRFCrEmlhWXJl7iFGCg1lJhFdANjlUiDclsbIqtSg/ vqg0J7X4EKM0B4uSOO/MXe9DhATSE0tSs1NTC1KLYLJMHJxSDYxFqxb+XTdXRWfh+y+l11Yt nm1o48EoX1ijs3SW9F/bZEZdz7Pbf3swySW73Fz81Wcb/7miUtO26W8FViwKiAyc0fH2Zx5H +xfrzPDCe2w6XcfMr1zMYhNUTT40f92Ds4LrJxtaK8jcP5fKLm3n/Fs9akaSrtOhqPUiE27p 6cvsOSkyK7JUYqkSS3FGoqEWc1FxIgAL04X6YgIAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1887 Lines: 43 On 05/25/2015 04:12 PM, Jani Nikula wrote: > On Mon, 25 May 2015, Andrey Ryabinin wrote: >> for_each_*_in_state validate array index after >> access to array elements, thus perform out of bounds read. >> >> Fix this by validating index in the first place and read >> array element iff validation was successful. >> >> Fixes: df63b9994eaf ("drm/atomic: Add for_each_{connector,crtc,plane}_in_state helper macros") >> Signed-off-by: Andrey Ryabinin >> --- >> include/drm/drm_atomic.h | 24 ++++++++++++------------ >> 1 file changed, 12 insertions(+), 12 deletions(-) >> >> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h >> index c1571034..3f13b91 100644 >> --- a/include/drm/drm_atomic.h >> +++ b/include/drm/drm_atomic.h >> @@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit(struct drm_atomic_state *state); >> >> #define for_each_connector_in_state(state, connector, connector_state, __i) \ >> for ((__i) = 0; \ >> - (connector) = (state)->connectors[__i], \ >> - (connector_state) = (state)->connector_states[__i], \ >> - (__i) < (state)->num_connector; \ >> + (__i) < (state)->num_connector && \ >> + ((connector) = (state)->connectors[__i], \ >> + (connector_state) = (state)->connector_states[__i], 1); \ > > This will stop at the first NULL connector/connector_state. Similarly > for the loops below. > This will stop iff (__i) >= (state)->num_connector, because the result of expression: ((connector) = (state)->connectors[__i], (connector_state) = (state)->connector_states[__i], 1) is always 1. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/