Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3228307pxb; Mon, 16 Nov 2020 08:58:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJzyHEEt/6JrC3IQmZbZ7mldUBiLh/mjPSbLTVuHkB7/MAUytGJLzMsNzY9jpa7ReY2SdlWg X-Received: by 2002:a17:906:1542:: with SMTP id c2mr5787013ejd.382.1605545934418; Mon, 16 Nov 2020 08:58:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605545934; cv=none; d=google.com; s=arc-20160816; b=VBxQxkL4oHlJw7PYXF+ve76Wnu4qXZzzqBxbihjG0TxhJr/8W/eOZEfvqhMZOsmMuP if/pbxYOxVMZSKx5M2YG6/pZ9yIqNj0h9rpafRglcC7f3W77uYDplCk8dMWG3xbWONgM UJmTepBeRokSR+N66Bhc3Av842+ukOlWPy+u+ya6gOi5DR/KVYRSPYXVncwOXB1mrcsX MOVc5RpMHpD/k8PDjVK71PNdHgKYr5pcBRXzi3cfw+h9rQWjenRH37lQAfB3K+Qdn7XV 27kfGeQ7P7CsYl5ePdpQYad8qxQxr0iZzjmbhwAjLyY5eTF9vfTzTvCJeJMZOE46E1LV S5PA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=S3jyrr+vZX/6CQzijyHDqXgarzaL1W8pby2TxHIXP0U=; b=d0/JgqKozy6Pgnyc5zxepHEEI7ihcv4H2OhtCtBtHHTKqiO2OAgDbJG4PqQ4sf5ysP qIve/99DKqxkaSvzzqWq2V18gV5KHvsxMktnrcwzw9JjFVzGCvIY2/gTbr6hHyFoitVT W/ke2z18P+KHkHKDglmgp+kgkYiyF7cK6xZLAov7dCAM4nggAVEERvQRzqmmvV0B/zo2 f57G3Z5t0kWFSQRhL8pVA4PozyzHIJPjdwFaxxAHOm5xC6JOhiO87Ax4bk/qDnOiKPVX PPpfctSyxdpyjiSy5ouKaW0YVOg7NkGRqkiRQO9t5ct/nAzoslg/uyUW3YwGXoeJpSPE BRGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g7si11711836ejd.530.2020.11.16.08.58.31; Mon, 16 Nov 2020 08:58:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731703AbgKPQz3 (ORCPT + 99 others); Mon, 16 Nov 2020 11:55:29 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:45466 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731088AbgKPQz2 (ORCPT ); Mon, 16 Nov 2020 11:55:28 -0500 Received: from 1.general.cking.uk.vpn ([10.172.193.212]) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kehmn-0008PX-W1; Mon, 16 Nov 2020 16:55:26 +0000 Subject: Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[] To: "Chrisanthus, Anitha" , Sam Ravnborg Cc: "Dea, Edmund J" , David Airlie , Daniel Vetter , "dri-devel@lists.freedesktop.org" , "kernel-janitors@vger.kernel.org" , "linux-kernel@vger.kernel.org" References: <20201113120121.33212-1-colin.king@canonical.com> <20201113145557.GB3647624@ravnborg.org> <8dd5b960-d6c4-73cc-703e-349dc66f2937@canonical.com> <20201113180214.GA3675629@ravnborg.org> From: Colin Ian King Message-ID: <36e65d6c-5142-5150-2de9-ffb2143497eb@canonical.com> Date: Mon, 16 Nov 2020 16:55:25 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16/11/2020 16:53, Chrisanthus, Anitha wrote: > Hi Sam and Colin, > >> -----Original Message----- >> From: Sam Ravnborg >> Sent: Friday, November 13, 2020 10:02 AM >> To: Colin Ian King >> Cc: Chrisanthus, Anitha ; Dea, Edmund J >> ; David Airlie ; Daniel Vetter >> ; dri-devel@lists.freedesktop.org; kernel- >> janitors@vger.kernel.org; linux-kernel@vger.kernel.org >> Subject: Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb- >>> plane_status[] >> >> Hi Colin. >> On Fri, Nov 13, 2020 at 03:04:34PM +0000, Colin Ian King wrote: >>> On 13/11/2020 14:55, Sam Ravnborg wrote: >>>> Hi Colin. >>>> >>>> On Fri, Nov 13, 2020 at 12:01:21PM +0000, Colin King wrote: >>>>> From: Colin Ian King >>>>> >>>>> Writes to elements in the kmb->plane_status array in function >>>>> kmb_plane_atomic_disable are overrunning the array when plane_id is >>>>> more than 1 because currently the array is KMB_MAX_PLANES elements >>>>> in size and this is currently #defined as 1. Fix this by defining >>>>> KMB_MAX_PLANES to 4. >>>> >>>> I fail to follow you here. >>>> In kmb_plane_init() only one plane is allocated - with id set to 0. >>>> So for now only one plane is allocated thus kmb_plane_atomic_disable() >>>> is only called for this plane. >>>> >>>> With your change we will start allocating four planes, something that is >>>> not tested. >>>> >>>> Do I miss something? >>>> >>>> Sam >>>> >>> >>> The static analysis from coverity on linux-next suggested that there was >>> an array overflow as follows: >>> >>> 108 static void kmb_plane_atomic_disable(struct drm_plane *plane, >>> 109 struct drm_plane_state *state) >>> 110 { >>> >>> 1. Condition 0 /* !!(!__builtin_types_compatible_p() && >>> !__builtin_types_compatible_p()) */, taking false branch. >>> >>> 111 struct kmb_plane *kmb_plane = to_kmb_plane(plane); >>> >>> 2. assignment: Assigning: plane_id = kmb_plane->id. >>> >>> 112 int plane_id = kmb_plane->id; >>> 113 struct kmb_drm_private *kmb; >>> 114 >>> 115 kmb = to_kmb(plane->dev); >>> 116 >>> >>> 3. Switch case value LAYER_3. >>> >>> 117 switch (plane_id) { >>> 118 case LAYER_0: >>> 119 kmb->plane_status[plane_id].ctrl = LCD_CTRL_VL1_ENABLE; >>> 120 break; >> >> With the current code this is the only case that hits. >> So coverity is right that if we hit other cases that would result in a >> bug. But kmb_plane->id will for now not have other values than 0. >> >> So it is a subtle false positive. >> There is some "dead" code here - but this is in preparation for more >> than one layer and we will keep the code for now, unless Anitha chimes >> in and says otherwise. > > Thanks Sam, I was out on Friday. Agree with Sam, let's keep the current code for now. Kmb->plane_id will not have non-zero values now. > Only one plane is supported and tested currently, the extra code is in preparation for multiple planes. Thanks for the clarification. Apologies for the noise. > > Thanks, > Anitha >> >> Sam >> >>> 121 case LAYER_1: >>> >>> (#2 of 4): Out-of-bounds write (OVERRUN) >>> >>> 122 kmb->plane_status[plane_id].ctrl = LCD_CTRL_VL2_ENABLE; >>> 123 break; >>> 124 case LAYER_2: >>> >>> (#3 of 4): Out-of-bounds write (OVERRUN) >>> >>> 125 kmb->plane_status[plane_id].ctrl = LCD_CTRL_GL1_ENABLE; >>> 126 break; >>> >>> 4. equality_cond: Jumping to case LAYER_3. >>> >>> 127 case LAYER_3: >>> >>> (#1 of 4): Out-of-bounds write (OVERRUN) >>> 5. overrun-local: Overrunning array kmb->plane_status of 1 8-byte >>> elements at element index 3 (byte offset 31) using index plane_id (which >>> evaluates to 3). >>> >>> 128 kmb->plane_status[plane_id].ctrl = LCD_CTRL_GL2_ENABLE; >>> 129 break; >>> 130 } >>> 131 >>> >>> (#4 of 4): Out-of-bounds write (OVERRUN) >>> >>> 132 kmb->plane_status[plane_id].disable = true; >>> 133 } >>> 134 >>> >>> So it seems the assignments to kmb->plane_status[plane_id] are >>> overrunning the array since plane_status is allocated as 1 element and >>> yet plane_id can be 0..3 >>> >>> I could be misunderstanding this, or it may be a false positive. >>> >>> Colin