Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]

From: Sam Ravnborg
Date: Fri Nov 13 2020 - 09:56:08 EST

Next message: Ming Lei: "Re: [PATCH] iosched: Add i10 I/O Scheduler"
Previous message: Jes Sorensen: "Re: [PATCH] rtl8xxxu: remove the unused variable timeout value assignment"
In reply to: Colin King: "[PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]"
Next in thread: Colin Ian King: "Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Colin.

On Fri, Nov 13, 2020 at 12:01:21PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> Writes to elements in the kmb->plane_status array in function
> kmb_plane_atomic_disable are overrunning the array when plane_id is
> more than 1 because currently the array is KMB_MAX_PLANES elements
> in size and this is currently #defined as 1. Fix this by defining
> KMB_MAX_PLANES to 4.

I fail to follow you here.
In kmb_plane_init() only one plane is allocated - with id set to 0.
So for now only one plane is allocated thus kmb_plane_atomic_disable()
is only called for this plane.

With your change we will start allocating four planes, something that is
not tested.

Do I miss something?

Sam

Next message: Ming Lei: "Re: [PATCH] iosched: Add i10 I/O Scheduler"
Previous message: Jes Sorensen: "Re: [PATCH] rtl8xxxu: remove the unused variable timeout value assignment"
In reply to: Colin King: "[PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]"
Next in thread: Colin Ian King: "Re: [PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]