Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp651183pxv; Thu, 15 Jul 2021 12:29:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXfUFSQfVJzYUyQnzl4A8E1lyUCjkg77vjq2mrtzMPU5jX9f4cA5+/NAlY9zVCacXqRdiX X-Received: by 2002:a05:6402:5244:: with SMTP id t4mr531005edd.346.1626377392501; Thu, 15 Jul 2021 12:29:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626377392; cv=none; d=google.com; s=arc-20160816; b=jv9la6h2mbntG22B4ZzgiEdrfPVLGamFaaKI1Jz2314N3481Jrg2653Cc4pVtTSo6g BFd3p8u0i8ahhuyJCp3a/pmSLnCcNmrpGmqq8YpekAyhUKqlreJJe+UIN1AWIVmfDTJP f48jgIOVmTak5gHDP7Ns6CKhsp9MbkJvkKBMfHFEV8upxNQygNu+1hOcP1VPYqKVgeoc mhFNY2BtkcZPVBm8z7c097HLo61L3UmRgGqr19I8cD4NbHhSwPNtVnsp9LegRu+HF3hu vwFnjfBr82b47ZtYhbC4SUt9dmagJrFz4CgmRzDjx7aTpFdUZDECI2srwAN2SGgPQ6+q HS6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=32+gJzCDBLcS89FfBF0l8AWw0I2ZBmlr7hjvnRCz7T8=; b=g+5gnEZUOmabdqP7wfxW3cOrkMvV3DUrJ1ZT3G39ZOYXe4a4/w8pkuX5R94NvL5wmI eX/AL7XJLZkt/rCQi3mfkEIDJiku4xY37+a8zJgXsnKfMpg3l81ltl6RVddGOoi9G5NE UYICVPr9NQcnUYnybLqVy2K8yJmy9bw3J5M+RQZrKLOwGp05at1O5/C/oPX0g/EWu1vO cn1rAi1wjfjE0M4ZRepaP2+byQWMO4mxbQwmhCueojycZy6P6PyYl2UPK42WQA1GvKI7 96uDvO7RXIi/KH1X6lBsfKfjUABFoTErhf2iALbZDmzMhPLmclEmuTvgRjpS60/e7+fw G4yA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XoBTs4I5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h3si5904508ede.293.2021.07.15.12.29.28; Thu, 15 Jul 2021 12:29:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XoBTs4I5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344517AbhGOT0H (ORCPT + 99 others); Thu, 15 Jul 2021 15:26:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:46122 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243503AbhGOTJx (ORCPT ); Thu, 15 Jul 2021 15:09:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 741FA613F9; Thu, 15 Jul 2021 19:05:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626375951; bh=co4ViAOkLJgTbOD/bShjc5Cfzwin0PgwlTQtXi3wqAk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XoBTs4I5/n52YWc0Zf6tm6DctVQ5YBq2jAQ6d4c1VyyHsrDvLqEgA3/mysh+1lGRk 0lf8nWWzy7l9SNU95FCfOF0j51RHV7vmYfvloVDoSSZ266KeYhhBUKvV6vxEoR3mdN KtADT3kcEmmZYaDIK0FA1G+79a8ImO779Lr7TU6Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Alex Deucher , Sasha Levin Subject: [PATCH 5.13 062/266] drm/amd/display: Avoid HDCP over-read and corruption Date: Thu, 15 Jul 2021 20:36:57 +0200 Message-Id: <20210715182625.190491995@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182613.933608881@linuxfoundation.org> References: <20210715182613.933608881@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook [ Upstream commit 06888d571b513cbfc0b41949948def6cb81021b2 ] Instead of reading the desired 5 bytes of the actual target field, the code was reading 8. This could result in a corrupted value if the trailing 3 bytes were non-zero, so instead use an appropriately sized and zero-initialized bounce buffer, and read only 5 bytes before casting to u64. Signed-off-by: Kees Cook Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c index 2cbd931363bd..6d26d9c63ab2 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c @@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) { uint64_t n = 0; uint8_t count = 0; + u8 bksv[sizeof(n)] = { }; - memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); + memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); + n = *(uint64_t *)bksv; while (n) { count++; -- 2.30.2