Commit bfdbea68 authored by Hersen Wu's avatar Hersen Wu Committed by Bowen You
Browse files

drm/amd/display: Add array index check for hdcp ddc access 

stable inclusion
from stable-5.10.226
commit 2a63c90c7a90ab2bd23deebc2814fc5b52abf6d2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9O7
CVE: CVE-2024-46804

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2a63c90c7a90ab2bd23deebc2814fc5b52abf6d2



--------------------------------

[ Upstream commit 4e70c0f5251c25885c31ee84a31f99a01f7cf50e ]

[Why]
Coverity reports OVERRUN warning. Do not check if array
index valid.

[How]
Check msg_id valid and valid array index.

Reviewed-by: default avatarAlex Hung <alex.hung@amd.com>
Acked-by: default avatarTom Chung <chiahsuan.chung@amd.com>
Signed-off-by: default avatarHersen Wu <hersenxs.wu@amd.com>
Tested-by: default avatarDaniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarBowen You <youbowen2@huawei.com>
parent 58d44ef1

drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c

+24 −4
Original line number Diff line number Diff line
@@ -156,11 +156,16 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, 
	uint32_t cur_size = 0;

	uint32_t data_offset = 0;



	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {

	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||

		msg_id >= MOD_HDCP_MESSAGE_ID_MAX)

		return MOD_HDCP_STATUS_DDC_FAILURE;

	}



	if (is_dp_hdcp(hdcp)) {

		int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /

			sizeof(hdcp_dpcd_addrs[0]);

		if (msg_id >= num_dpcd_addrs)

			return MOD_HDCP_STATUS_DDC_FAILURE;



		while (buf_len > 0) {

			cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);

			success = hdcp->config.ddc.funcs.read_dpcd(hdcp->config.ddc.handle,
@@ -175,6 +180,11 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, 
			data_offset += cur_size;

		}

	} else {

		int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /

			sizeof(hdcp_i2c_offsets[0]);

		if (msg_id >= num_i2c_offsets)

			return MOD_HDCP_STATUS_DDC_FAILURE;



		success = hdcp->config.ddc.funcs.read_i2c(

				hdcp->config.ddc.handle,

				HDCP_I2C_ADDR,
@@ -219,11 +229,16 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, 
	uint32_t cur_size = 0;

	uint32_t data_offset = 0;



	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {

	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||

		msg_id >= MOD_HDCP_MESSAGE_ID_MAX)

		return MOD_HDCP_STATUS_DDC_FAILURE;

	}



	if (is_dp_hdcp(hdcp)) {

		int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /

			sizeof(hdcp_dpcd_addrs[0]);

		if (msg_id >= num_dpcd_addrs)

			return MOD_HDCP_STATUS_DDC_FAILURE;



		while (buf_len > 0) {

			cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);

			success = hdcp->config.ddc.funcs.write_dpcd(
@@ -239,6 +254,11 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, 
			data_offset += cur_size;

		}

	} else {

		int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /

			sizeof(hdcp_i2c_offsets[0]);

		if (msg_id >= num_i2c_offsets)

			return MOD_HDCP_STATUS_DDC_FAILURE;



		hdcp->buf[0] = hdcp_i2c_offsets[msg_id];

		memmove(&hdcp->buf[1], buf, buf_len);

		success = hdcp->config.ddc.funcs.write_i2c(