Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp638879pxv; Thu, 15 Jul 2021 12:10:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfeMrDiwhcZAkprQVUB5jIEraUXZmZ+svD6K9CsbPaBuFOwhEXP5O1LTyCNqEuGP1z6f3Q X-Received: by 2002:a05:6638:144e:: with SMTP id l14mr5311740jad.69.1626376223249; Thu, 15 Jul 2021 12:10:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626376223; cv=none; d=google.com; s=arc-20160816; b=Ht5OJvjMza14E+ql+UYY1MUg7i7CbRSo2x4/hBbvwunQQG0Ppin9OyCp3uuLq4Vzb4 EnmO8VxpQxRRUZRvydvfj6qzBvQwCQ7CiggtZ8QodJn9Cin8b1clAxDqTA6l9u8BKYh3 hEvkJVbOEVpK6n8VuxfwtN7W03sHhINVTqBoL+H/e7lS1fz54Ll3BrEzDSdqPlMoCGyi nrK+Fo3RQm10NeuMSPCIzJv7b54uhf2dmSMXJczjRgpib23YWbPGsflGqa37kHZ2TpqV lYmLidInqdY7pGLtZWJu3wPk1YmW4gsgFSnp8dWCXxiWBD+TSqFz3YHOWmlcEjY9ZgVj Zccg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7NLWIhInOZgnx1wWaU/yz8UPcysI0rUxKjwDMMYWDBE=; b=Ik3okYTFD+G9dP8yMHP90+LzYe0tfzC4Ds0rpIfOg2avrPVyS9T4YjQwltH0co7/1v bPDPI0fKkCKUklfUTtZciAFESNtyaGA5lDLEdwvXw4jtDZZ/b8a0iSv3ovyBcsk765j1 sCbVcwnxpi7VN2NpCuZvU3I1Eu0cz20h3JuDMfvnxxb5apOrYMj0+D6IeAWgsCBw0CBr YdcpahMT0+lsxIT8YVHGzI/tQtsOO2LUeLY3A+3IE59V/GEWuyfPP9J4AlBwuADMbp94 PZp32kcl+96SyjNElB1BySJXsvj7/FVLe7+6J/R4G4STIFNRFXMO49qAPqLIWV+trb2C Jfuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2gwth65Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q15si7111577ile.132.2021.07.15.12.10.09; Thu, 15 Jul 2021 12:10:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2gwth65Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240821AbhGOTKn (ORCPT + 99 others); Thu, 15 Jul 2021 15:10:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:60992 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241332AbhGOS6w (ORCPT ); Thu, 15 Jul 2021 14:58:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 747C0613C4; Thu, 15 Jul 2021 18:55:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626375356; bh=Rq6Vllx5aizCaYRvGFri4AYkM3uXqJdalDaJzcbLmwY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2gwth65YQ8yxzPA51s9qu+nlm/z8X5FQMn9OrriEA3a/gJ25bSIOOw6MIfEQUk6c4 Dhl5bHlFchLZkYTn2C6uaSM2vaEIW6gJVx2tMBkzRQAeNC3QeVo1gyklIQ1sHMsvSt nZb7/qzzC7KmHnZ25Tsl5WbuSv84MrgNjTJgSN9o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Alex Deucher , Sasha Levin Subject: [PATCH 5.12 051/242] drm/amd/display: Avoid HDCP over-read and corruption Date: Thu, 15 Jul 2021 20:36:53 +0200 Message-Id: <20210715182601.283161448@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182551.731989182@linuxfoundation.org> References: <20210715182551.731989182@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook [ Upstream commit 06888d571b513cbfc0b41949948def6cb81021b2 ] Instead of reading the desired 5 bytes of the actual target field, the code was reading 8. This could result in a corrupted value if the trailing 3 bytes were non-zero, so instead use an appropriately sized and zero-initialized bounce buffer, and read only 5 bytes before casting to u64. Signed-off-by: Kees Cook Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c index 73ca49f05bd3..eb56526ec32c 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c @@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) { uint64_t n = 0; uint8_t count = 0; + u8 bksv[sizeof(n)] = { }; - memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); + memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); + n = *(uint64_t *)bksv; while (n) { count++; -- 2.30.2