CVE-2024-50016
Alex Hung (1): drm/amd/display: Avoid overflow assignment in link_dp_cts
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +- drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 3 ++- drivers/gpu/drm/amd/display/include/dpcd_defs.h | 1 + 3 files changed, 4 insertions(+), 2 deletions(-)
From: Alex Hung alex.hung@amd.com
mainline inclusion from mainline-v6.12-rc1 commit a15268787b79fd183dd526cc16bec9af4f4e49a1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRBP CVE: CVE-2024-50016
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
[ Upstream commit a15268787b79fd183dd526cc16bec9af4f4e49a1 ]
sampling_rate is an uint8_t but is assigned an unsigned int, and thus it can overflow. As a result, sampling_rate is changed to uint32_t.
Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should only be assigned to a value less or equal than 4.
This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
Signed-off-by: Alex Hung alex.hung@amd.com Reviewed-by: Wenjing Liu wenjing.liu@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Rodrigo Siqueira rodrigo.siqueira@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yuntao Liu liuyuntao12@huawei.com --- drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +- drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 3 ++- drivers/gpu/drm/amd/display/include/dpcd_defs.h | 1 + 3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h index 83719f5bea49..8df52f9ba0b7 100644 --- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h +++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h @@ -721,7 +721,7 @@ struct dp_audio_test_data_flags { struct dp_audio_test_data {
struct dp_audio_test_data_flags flags; - uint8_t sampling_rate; + uint32_t sampling_rate; uint8_t channel_count; uint8_t pattern_type; uint8_t pattern_period[8]; diff --git a/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c b/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c index fe4282771cd0..8a97d96f7d8b 100644 --- a/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c +++ b/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c @@ -849,7 +849,8 @@ bool dp_set_test_pattern( core_link_read_dpcd(link, DP_TRAINING_PATTERN_SET, &training_pattern.raw, sizeof(training_pattern)); - training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern; + if (pattern <= PHY_TEST_PATTERN_END_DP11) + training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern; core_link_write_dpcd(link, DP_TRAINING_PATTERN_SET, &training_pattern.raw, sizeof(training_pattern)); diff --git a/drivers/gpu/drm/amd/display/include/dpcd_defs.h b/drivers/gpu/drm/amd/display/include/dpcd_defs.h index aee5170f5fb2..c246235e4afe 100644 --- a/drivers/gpu/drm/amd/display/include/dpcd_defs.h +++ b/drivers/gpu/drm/amd/display/include/dpcd_defs.h @@ -76,6 +76,7 @@ enum dpcd_phy_test_patterns { PHY_TEST_PATTERN_D10_2, PHY_TEST_PATTERN_SYMBOL_ERROR, PHY_TEST_PATTERN_PRBS7, + PHY_TEST_PATTERN_END_DP11 = PHY_TEST_PATTERN_PRBS7, PHY_TEST_PATTERN_80BIT_CUSTOM,/* For DP1.2 only */ PHY_TEST_PATTERN_CP2520_1, PHY_TEST_PATTERN_CP2520_2,
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12883 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12883 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...
-
patchwork bot -
Yuntao Liu