Commit 53127d3f authored May 22, 2024 by Konstantin Meskhidze Committed by Luo Gengkun May 22, 2024

drm/radeon: possible buffer overflow

mainline inclusion
from mainline-v6.7-rc1
commit dd05484f99d16715a88eedfca363828ef9a4c2d4
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R7JN
CVE: CVE-2023-52867

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd05484f99d16715a88eedfca363828ef9a4c2d4



--------------------------------

Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is
checked after access.

Fixes: 5cc4e5fc ("drm/radeon: Cleanup HDMI audio interrupt handling for evergreen")
Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Luo Gengkun <luogengkun@huaweicloud.com>

parent 5bab8a92

drivers/gpu/drm/radeon/evergreen.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -4815,14 +4815,15 @@ int evergreen_irq_process(struct radeon_device *rdev)
		break;
		case 44: /* hdmi */
		afmt_idx = src_data;
		if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG))
		DRM_DEBUG("IH: IH event w/o asserted irq bit?\n");

		if (afmt_idx > 5) {
		DRM_ERROR("Unhandled interrupt: %d %d\n",
		src_id, src_data);
		break;
		}

		if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG))
		DRM_DEBUG("IH: IH event w/o asserted irq bit?\n");

		afmt_status[afmt_idx] &= ~AFMT_AZ_FORMAT_WTRIG;
		queue_hdmi = true;
		DRM_DEBUG("IH: HDMI%d\n", afmt_idx + 1);