Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1206588pxb; Fri, 13 Nov 2020 06:58:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJwdyDO19TsBDIfTAMZNCwannj//I9/MJf3Dv5UQtdsVQF2kVJNhMsoqNV7dCw7OwZE+bdBC X-Received: by 2002:a17:906:ca93:: with SMTP id js19mr2416569ejb.537.1605279489054; Fri, 13 Nov 2020 06:58:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605279489; cv=none; d=google.com; s=arc-20160816; b=MD3qShxfaMZuCR+O1e02MF3zO+letv2HNTY2Q1YUQ5vfH8DPukTVwi+rO5uEU9FnRe APGct0jCyzhE/vdJDX+dcZb/JHIxNR3iJZdzIbWjJ+hPCcEvCqCMCM25+84FrKi4isHJ o6D3wEDybSXrhlXquslnF4HPL5DhJK5G7/xEJbdyTMKAgV3ClxDVs+VbFFvcFDy7o3Vj 6RmqVHKONbMRikjol3TtSDW7bAZlkMTTCPHeWf2HMWmNt0ZdeRJIPOWzRjfLvflfWsXF ghUCtGBSQS8Hh+cOLk5dQmBk+4E6MErrjyTtpgnUlO1OzDA7YZZfbhxkb8CawVcnF8zf WrlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=f0b37xd4wyZgHzVADIl1Zuyu4WD8nfnWakkmoeP3HEw=; b=k7aFvoEisf0Fusn50FxryjvKRFZb6C/VbkWvsvp7xJGtnJ90vo1DdN7eLdKYsjoLuY Ux+OL0lXP2+YduVFaImpNjflD6nmH6kgA5TDjQLMNHaGZ+VHYoF5BjE8+Lk4Vttbc2+6 NIkC/zEfr0XjXLiVchRXytKmcm3ZNlkKJV8TeliF32wlSduvK7lnlWWu1PW6bd8x0qNK pMXkCuA6vggshOEu+XYNpZ2dSLj3I86Fim1WyjexU+XRsdDgQJDMw9TjvaDhsZb4QwmY LgfKlnWa9T+2ttB0FASd2vwzQ7Wb5y1hzJkZOaQwwT9tG60GYQq8Pn4iNhYkNpItZSEK cYBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qq16si4148256ejb.714.2020.11.13.06.57.46; Fri, 13 Nov 2020 06:58:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726746AbgKMO4G (ORCPT + 99 others); Fri, 13 Nov 2020 09:56:06 -0500 Received: from asavdk4.altibox.net ([109.247.116.15]:49626 "EHLO asavdk4.altibox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726554AbgKMO4E (ORCPT ); Fri, 13 Nov 2020 09:56:04 -0500 Received: from ravnborg.org (unknown [188.228.123.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by asavdk4.altibox.net (Postfix) with ESMTPS id 21780804F9; Fri, 13 Nov 2020 15:55:58 +0100 (CET) Date: Fri, 13 Nov 2020 15:55:57 +0100 From: Sam Ravnborg To: Colin King Cc: Anitha Chrisanthus , Edmund Dea , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[] Message-ID: <20201113145557.GB3647624@ravnborg.org> References: <20201113120121.33212-1-colin.king@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201113120121.33212-1-colin.king@canonical.com> X-CMAE-Score: 0 X-CMAE-Analysis: v=2.3 cv=VafZwmh9 c=1 sm=1 tr=0 a=S6zTFyMACwkrwXSdXUNehg==:117 a=S6zTFyMACwkrwXSdXUNehg==:17 a=kj9zAlcOel0A:10 a=DfNHnWVPAAAA:8 a=fighymmnzFzAkJHgI4oA:9 a=CjuIK1q_8ugA:10 a=rjTVMONInIDnV1a_A2c_:22 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Colin. On Fri, Nov 13, 2020 at 12:01:21PM +0000, Colin King wrote: > From: Colin Ian King > > Writes to elements in the kmb->plane_status array in function > kmb_plane_atomic_disable are overrunning the array when plane_id is > more than 1 because currently the array is KMB_MAX_PLANES elements > in size and this is currently #defined as 1. Fix this by defining > KMB_MAX_PLANES to 4. I fail to follow you here. In kmb_plane_init() only one plane is allocated - with id set to 0. So for now only one plane is allocated thus kmb_plane_atomic_disable() is only called for this plane. With your change we will start allocating four planes, something that is not tested. Do I miss something? Sam