Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp670334rwi; Wed, 19 Oct 2022 01:05:30 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7wPyhpFrnfeDVgno/hMm1jVE00NYC+lY+n1Z3h8jxsquuCJgk3q9Al/mZ2ewhMbbxJUpe5 X-Received: by 2002:a05:6402:5206:b0:45d:88f:4f00 with SMTP id s6-20020a056402520600b0045d088f4f00mr6273844edd.130.1666166730419; Wed, 19 Oct 2022 01:05:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666166730; cv=none; d=google.com; s=arc-20160816; b=HvrGdUiz6hYTjvrKMBNP9Q9RZYa6qkGeHUX05ZDOGcz1Y3hmUH0wC/qS4PfIaUcNc/ 6oTvc6LRnGYISImnOQd7Kg41gcI2VnQoklids/HYheN8mi6rLR9RN+3d0ypTUacuBuWQ KBEmt7U1/VpLLH6rAeeTV1CQYWp4YCvJ8QmmNlTtePW18ApO3fhYGYgywZfp+orl5p42 PY6x+2n+dQz85kRfes1l709W3hroY1w2XgAcGy+6ZetS1K1BkULmdJBS1nj5BrHLVeFY PaIYABZeBDr0GQ8zfQ8e/EYgTLXvnvys6zlgd5B/YqtcnX2O/CQZw41ovAeZNhJZv6At iymw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :dkim-signature; bh=OFBlhkYS8e4Y++xggTk7x762ubjdCZQL5LyxpmWeUCA=; b=iG/l7WhqelNv/gwhi6017DZ7NtAl0QOyv1NwH+eT2CSluX2bfeRv7kLAErgHfXbIX6 PLdtO9UH93wuF8uFoZDhN62GdxCIOLIeg2/gYwriOl2sMU7giEUcPaT3w3wJbYNjflIq 50qad8SoWVVkmUq2rlLSSbxaO5ng6CTrmWR/67SoZWyqg7tLsa0TbPoILS/cTjgo/w9d Rd9Ml6P3b27R+TmVjEgsIFkSoNDMJYyad1mWJ56TBaVUicRF/UuKXGGmCmxR/G6Jbo5T lH4P/NvrI8VjM8mkU2S2qK7V/OiByG5yu5tm9hDbNd5vjf2Y/cJP9ejLEWZjWqpn0WqG YDJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Ozsq01M1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id en16-20020a056402529000b00457166171c6si11529183edb.432.2022.10.19.01.05.04; Wed, 19 Oct 2022 01:05:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Ozsq01M1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230018AbiJSHdF (ORCPT + 99 others); Wed, 19 Oct 2022 03:33:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230008AbiJSHdD (ORCPT ); Wed, 19 Oct 2022 03:33:03 -0400 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A40FE61121 for ; Wed, 19 Oct 2022 00:33:02 -0700 (PDT) Received: by mail-pj1-x1049.google.com with SMTP id u12-20020a17090a410c00b0020b7d65a875so8009826pjf.9 for ; Wed, 19 Oct 2022 00:33:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=OFBlhkYS8e4Y++xggTk7x762ubjdCZQL5LyxpmWeUCA=; b=Ozsq01M1gRGtGtoH/cesMFHrQcZgb+x4tyXdANAkVr2929UYFp/CQCJNXnoeFXDiNU BZzmFTWGkBpJuzxNNTEUt8mg3kaO/D4gk78C8xiYyqpZN5wlBBvwHPrU/+3GTP7Q3aVF GUn+1EEzrZprmxQZAO7uIhpSmiGFbxtWtGzAb3ReiY4nqkAzN09e1ovJBDEs/q4o5knY 3Y54xYIdGEZXD/yShY+i5YkBn74VennWUUnxZEZN1CDFNTvNUGzk4Aqu3wN6j3pmmeRq MIa8VNaNxL+7+TQnDMEKpKDjXF7BmcCe8b84+M2DjcOL7+la4vlYESzSQBniYQYrWIg0 3OLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=OFBlhkYS8e4Y++xggTk7x762ubjdCZQL5LyxpmWeUCA=; b=wQqgG2r1guTPLp8SKJ81J156gHi73LOVL9K7p71iQLfdaSPnClFRXI+NwLG7laxDTo aicqooRz4mdsk2TMxB0140ZnBHnwqQCHH2QhjO7/9PmUINE/dQsZFlzlVSiKs/iKByCq Gfx9g+7nvOuV8iB0k4vhRNsVoUgqjGx1kzY2Te70NpUMZ/iYXjY2K+mWm0+yRepBkTb+ 1V5ejFldMnRp6Igde0E3MACu9b1gPjvoS/M6NjCxV9L+wA2JGqhvTzD3X+JfBQwGZ20b pUhoEO5szdKZo46cw3Z2YsnEk96rH2jP49fPEeHD/jon9EI0PWKpwp1nEg5nnIR+AUk4 NAuQ== X-Gm-Message-State: ACrzQf24ufewIpCKgRzdo01gKh7nvlvAhe1J98Ywa6UufPBiOrPkpOx5 37p4xOsTnFahQb6stb+PQ9Ie9BXiQfa5jw== X-Received: from slicestar.c.googlers.com ([fda3:e722:ac3:cc00:4f:4b78:c0a8:20a1]) (user=davidgow job=sendgmr) by 2002:a17:90a:c986:b0:205:f08c:a82b with SMTP id w6-20020a17090ac98600b00205f08ca82bmr2707194pjt.1.1666164781481; Wed, 19 Oct 2022 00:33:01 -0700 (PDT) Date: Wed, 19 Oct 2022 15:32:40 +0800 Mime-Version: 1.0 X-Mailer: git-send-email 2.38.0.413.g74048e4d9e-goog Message-ID: <20221019073239.3779180-1-davidgow@google.com> Subject: [PATCH] drm: tests: Fix a buffer overflow in format_helper_test From: David Gow To: "=?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?=" , David Airlie , Daniel Vetter , Thomas Zimmermann , Maxime Ripard , Naresh Kamboju Cc: David Gow , "=?UTF-8?q?Ma=C3=ADra=20Canal?=" , dri-devel@lists.freedesktop.org, Sam Ravnborg , linux-kernel@vger.kernel.org, kunit-dev@googlegroups.com, Linux Kernel Functional Testing Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The xrgb2101010 format conversion test (unlike for other formats) does an endianness conversion on the results. However, it always converts TEST_BUF_SIZE 32-bit integers, which results in reading from (and writing to) more memory than in present in the result buffer. Instead, use the buffer size, divided by sizeof(u32). The issue could be reproduced with KASAN: ./tools/testing/kunit/kunit.py run --kunitconfig drivers/gpu/drm/tests \ --kconfig_add CONFIG_KASAN=y --kconfig_add CONFIG_KASAN_VMALLOC=y \ --kconfig_add CONFIG_KASAN_KUNIT_TEST=y \ drm_format_helper_test.*xrgb2101010 Reported-by: Linux Kernel Functional Testing Fixes: 453114319699 ("drm/format-helper: Add KUnit tests for drm_fb_xrgb8888_to_xrgb2101010()") Signed-off-by: David Gow --- This is a fix for the issue reported here: https://lore.kernel.org/dri-devel/CA+G9fYsuc9G+RO81E=vHMqxYStsmLURLdOB0NF26kJ1=K8pRZA@mail.gmail.com/ Note that it may conflict with the KUNIT_EXPECT_MEMEQ() series here: https://lore.kernel.org/linux-kselftest/20221018190541.189780-1-mairacanal@riseup.net/ Cheers, -- David --- drivers/gpu/drm/tests/drm_format_helper_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tests/drm_format_helper_test.c b/drivers/gpu/drm/tests/drm_format_helper_test.c index 8d86c250c2ec..2191e57f2297 100644 --- a/drivers/gpu/drm/tests/drm_format_helper_test.c +++ b/drivers/gpu/drm/tests/drm_format_helper_test.c @@ -438,7 +438,7 @@ static void drm_test_fb_xrgb8888_to_xrgb2101010(struct kunit *test) iosys_map_set_vaddr(&src, xrgb8888); drm_fb_xrgb8888_to_xrgb2101010(&dst, &result->dst_pitch, &src, &fb, ¶ms->clip); - buf = le32buf_to_cpu(test, buf, TEST_BUF_SIZE); + buf = le32buf_to_cpu(test, buf, dst_size / sizeof(u32)); KUNIT_EXPECT_EQ(test, memcmp(buf, result->expected, dst_size), 0); } -- 2.38.0.413.g74048e4d9e-goog