Kees Cook
2022-Nov-27 18:30 UTC
[Nouveau] [PATCH] drm/nouveau/disp: Fix nvif_outp_acquire_dp() argument size
Both Coverity and GCC with -Wstringop-overflow noticed that nvif_outp_acquire_dp() accidentally defined its second argument with 1 additional element: drivers/gpu/drm/nouveau/dispnv50/disp.c: In function 'nv50_pior_atomic_enable': drivers/gpu/drm/nouveau/dispnv50/disp.c:1813:17: error: 'nvif_outp_acquire_dp' accessing 16 bytes in a region of size 15 [-Werror=stringop-overflow=] 1813 | nvif_outp_acquire_dp(&nv_encoder->outp, nv_encoder->dp.dpcd, 0, 0, false, false); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/nouveau/dispnv50/disp.c:1813:17: note: referencing argument 2 of type 'u8[16]' {aka 'unsigned char[16]'} drivers/gpu/drm/nouveau/include/nvif/outp.h:24:5: note: in a call to function 'nvif_outp_acquire_dp' 24 | int nvif_outp_acquire_dp(struct nvif_outp *, u8 dpcd[16], | ^~~~~~~~~~~~~~~~~~~~ Avoid these warnings by defining the argument size using the matching define (DP_RECEIVER_CAP_SIZE, 15) instead of having it be a literal (and incorrect) value (16). Reported-by: coverity-bot <keescook+coverity-bot at chromium.org> Addresses-Coverity-ID: 1527269 ("Memory - corruptions") Addresses-Coverity-ID: 1527268 ("Memory - corruptions") Link: https://lore.kernel.org/lkml/202211100848.FFBA2432 at keescook/ Link: https://lore.kernel.org/lkml/202211100848.F4C2819BB at keescook/ Fixes: 813443721331 ("drm/nouveau/disp: move DP link config into acquire") Cc: Ben Skeggs <bskeggs at redhat.com> Cc: Karol Herbst <kherbst at redhat.com> Cc: Lyude Paul <lyude at redhat.com> Cc: David Airlie <airlied at gmail.com> Cc: Daniel Vetter <daniel at ffwll.ch> Cc: Dave Airlie <airlied at redhat.com> Cc: "Gustavo A. R. Silva" <gustavo at embeddedor.com> Cc: dri-devel at lists.freedesktop.org Cc: nouveau at lists.freedesktop.org Signed-off-by: Kees Cook <keescook at chromium.org> --- drivers/gpu/drm/nouveau/include/nvif/outp.h | 3 ++- drivers/gpu/drm/nouveau/nvif/outp.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/include/nvif/outp.h b/drivers/gpu/drm/nouveau/include/nvif/outp.h index 45daadec3c0c..fa76a7b5e4b3 100644 --- a/drivers/gpu/drm/nouveau/include/nvif/outp.h +++ b/drivers/gpu/drm/nouveau/include/nvif/outp.h @@ -3,6 +3,7 @@ #define __NVIF_OUTP_H__ #include <nvif/object.h> #include <nvif/if0012.h> +#include <drm/display/drm_dp.h> struct nvif_disp; struct nvif_outp { @@ -21,7 +22,7 @@ int nvif_outp_acquire_rgb_crt(struct nvif_outp *); int nvif_outp_acquire_tmds(struct nvif_outp *, int head, bool hdmi, u8 max_ac_packet, u8 rekey, u8 scdc, bool hda); int nvif_outp_acquire_lvds(struct nvif_outp *, bool dual, bool bpc8); -int nvif_outp_acquire_dp(struct nvif_outp *, u8 dpcd[16], +int nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], int link_nr, int link_bw, bool hda, bool mst); void nvif_outp_release(struct nvif_outp *); int nvif_outp_infoframe(struct nvif_outp *, u8 type, struct nvif_outp_infoframe_v0 *, u32 size); diff --git a/drivers/gpu/drm/nouveau/nvif/outp.c b/drivers/gpu/drm/nouveau/nvif/outp.c index 7da39f1eae9f..c24bc5eae3ec 100644 --- a/drivers/gpu/drm/nouveau/nvif/outp.c +++ b/drivers/gpu/drm/nouveau/nvif/outp.c @@ -127,7 +127,7 @@ nvif_outp_acquire(struct nvif_outp *outp, u8 proto, struct nvif_outp_acquire_v0 } int -nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[16], +nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], int link_nr, int link_bw, bool hda, bool mst) { struct nvif_outp_acquire_v0 args; -- 2.34.1
Kees Cook
2023-Jan-25 20:15 UTC
[Nouveau] [PATCH] drm/nouveau/disp: Fix nvif_outp_acquire_dp() argument size
Ping. I'll take this via my tree unless someone else wants to take it... On Sun, Nov 27, 2022 at 10:30:41AM -0800, Kees Cook wrote:> Both Coverity and GCC with -Wstringop-overflow noticed that > nvif_outp_acquire_dp() accidentally defined its second argument with 1 > additional element: > > drivers/gpu/drm/nouveau/dispnv50/disp.c: In function 'nv50_pior_atomic_enable': > drivers/gpu/drm/nouveau/dispnv50/disp.c:1813:17: error: 'nvif_outp_acquire_dp' accessing 16 bytes in a region of size 15 [-Werror=stringop-overflow=] > 1813 | nvif_outp_acquire_dp(&nv_encoder->outp, nv_encoder->dp.dpcd, 0, 0, false, false); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > drivers/gpu/drm/nouveau/dispnv50/disp.c:1813:17: note: referencing argument 2 of type 'u8[16]' {aka 'unsigned char[16]'} > drivers/gpu/drm/nouveau/include/nvif/outp.h:24:5: note: in a call to function 'nvif_outp_acquire_dp' > 24 | int nvif_outp_acquire_dp(struct nvif_outp *, u8 dpcd[16], > | ^~~~~~~~~~~~~~~~~~~~ > > Avoid these warnings by defining the argument size using the matching > define (DP_RECEIVER_CAP_SIZE, 15) instead of having it be a literal > (and incorrect) value (16). > > Reported-by: coverity-bot <keescook+coverity-bot at chromium.org> > Addresses-Coverity-ID: 1527269 ("Memory - corruptions") > Addresses-Coverity-ID: 1527268 ("Memory - corruptions") > Link: https://lore.kernel.org/lkml/202211100848.FFBA2432 at keescook/ > Link: https://lore.kernel.org/lkml/202211100848.F4C2819BB at keescook/ > Fixes: 813443721331 ("drm/nouveau/disp: move DP link config into acquire") > Cc: Ben Skeggs <bskeggs at redhat.com> > Cc: Karol Herbst <kherbst at redhat.com> > Cc: Lyude Paul <lyude at redhat.com> > Cc: David Airlie <airlied at gmail.com> > Cc: Daniel Vetter <daniel at ffwll.ch> > Cc: Dave Airlie <airlied at redhat.com> > Cc: "Gustavo A. R. Silva" <gustavo at embeddedor.com> > Cc: dri-devel at lists.freedesktop.org > Cc: nouveau at lists.freedesktop.org > Signed-off-by: Kees Cook <keescook at chromium.org> > --- > drivers/gpu/drm/nouveau/include/nvif/outp.h | 3 ++- > drivers/gpu/drm/nouveau/nvif/outp.c | 2 +- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/include/nvif/outp.h b/drivers/gpu/drm/nouveau/include/nvif/outp.h > index 45daadec3c0c..fa76a7b5e4b3 100644 > --- a/drivers/gpu/drm/nouveau/include/nvif/outp.h > +++ b/drivers/gpu/drm/nouveau/include/nvif/outp.h > @@ -3,6 +3,7 @@ > #define __NVIF_OUTP_H__ > #include <nvif/object.h> > #include <nvif/if0012.h> > +#include <drm/display/drm_dp.h> > struct nvif_disp; > > struct nvif_outp { > @@ -21,7 +22,7 @@ int nvif_outp_acquire_rgb_crt(struct nvif_outp *); > int nvif_outp_acquire_tmds(struct nvif_outp *, int head, > bool hdmi, u8 max_ac_packet, u8 rekey, u8 scdc, bool hda); > int nvif_outp_acquire_lvds(struct nvif_outp *, bool dual, bool bpc8); > -int nvif_outp_acquire_dp(struct nvif_outp *, u8 dpcd[16], > +int nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], > int link_nr, int link_bw, bool hda, bool mst); > void nvif_outp_release(struct nvif_outp *); > int nvif_outp_infoframe(struct nvif_outp *, u8 type, struct nvif_outp_infoframe_v0 *, u32 size); > diff --git a/drivers/gpu/drm/nouveau/nvif/outp.c b/drivers/gpu/drm/nouveau/nvif/outp.c > index 7da39f1eae9f..c24bc5eae3ec 100644 > --- a/drivers/gpu/drm/nouveau/nvif/outp.c > +++ b/drivers/gpu/drm/nouveau/nvif/outp.c > @@ -127,7 +127,7 @@ nvif_outp_acquire(struct nvif_outp *outp, u8 proto, struct nvif_outp_acquire_v0 > } > > int > -nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[16], > +nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], > int link_nr, int link_bw, bool hda, bool mst) > { > struct nvif_outp_acquire_v0 args; > -- > 2.34.1 >-- Kees Cook
Maybe Matching Threads
- [PATCH] drm/nouveau/disp: Fix nvif_outp_acquire_dp() argument size
- [PATCH] drm/nouveau/disp: More DP_RECEIVER_CAP_SIZE array fixes
- [PATCH 6.3 004/364] drm/nouveau/disp: More DP_RECEIVER_CAP_SIZE array fixes
- [PATCH 1/2] drm/nouveau/nvkm/outp: Use WARN_ON() in conditionals in nvkm_outp_init_route()
- [PATCH 2/2] drm/nouveau/kms: Add INHERIT ioctl to nvkm/nvif for reading IOR state