drm: nv04: Fix out of bounds access
stable inclusion from stable-v4.19.313 commit c2b97f26f081ceec3298151481687071075a25cb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5JU CVE: CVE-2024-27008 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c2b97f26f081ceec3298151481687071075a25cb -------------------------------- [ Upstream commit cf92bb778eda7830e79452c6917efa8474a30c1e ] When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2e5702af ("drm/nouveau: fabricate DCB encoder table for iMac G4") Fixes: 670820c0 ("drm/nouveau: Workaround incorrect DCB entry on a GeForce3 Ti 200.") Signed-off-by:Mikhail Kobuk <m.kobuk@ispras.ru> Signed-off-by:
Loading
Please sign in to comment