Commit c88e2647 authored Jun 17, 2021 by Kees Cook Committed by José Roberto de Souza Jun 21, 2021

drm/i915/display: Do not zero past infoframes.vsc



intel_dp_vsc_sdp_unpack() was using a memset() size (36, struct dp_sdp)
larger than the destination (24, struct drm_dp_vsc_sdp), clobbering
fields in struct intel_crtc_state after infoframes.vsc. Use the actual
target size for the memset().

Fixes: 1b404b7d ("drm/i915/dp: Read out DP SDPs")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210617213301.1824728-1-keescook@chromium.org

parent 151ec347

drivers/gpu/drm/i915/display/intel_dp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2868,7 +2868,7 @@ static int intel_dp_vsc_sdp_unpack(struct drm_dp_vsc_sdp *vsc,
		if (size < sizeof(struct dp_sdp))
		return -EINVAL;

		memset(vsc, 0, size);
		memset(vsc, 0, sizeof(*vsc));

		if (sdp->sdp_header.HB0 != 0)
		return -EINVAL;