Commit 06888d57 authored May 28, 2021 by Kees Cook Committed by Alex Deucher Jun 01, 2021

drm/amd/display: Avoid HDCP over-read and corruption



Instead of reading the desired 5 bytes of the actual target field,
the code was reading 8. This could result in a corrupted value if the
trailing 3 bytes were non-zero, so instead use an appropriately sized
and zero-initialized bounce buffer, and read only 5 bytes before casting
to u64.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

parent 66c46621

drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp)
		{
		uint64_t n = 0;
		uint8_t count = 0;
		u8 bksv[sizeof(n)] = { };

		memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t));
		memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv));
		n = (uint64_t )bksv;

		while (n) {
		count++;