Commit e6c82f8c authored Oct 14, 2021 by Kees Cook Committed by Zheng Zengkai Oct 15, 2021

drm/amd/display: Avoid HDCP over-read and corruption

stable inclusion
from stable-5.10.51
commit c5b518f4b98dbb2bc31b6a55e6aaa1e0e2948f2e
bugzilla: 175263 https://gitee.com/openeuler/kernel/issues/I4DT6F

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c5b518f4b98dbb2bc31b6a55e6aaa1e0e2948f2e



--------------------------------

[ Upstream commit 06888d57 ]

Instead of reading the desired 5 bytes of the actual target field,
the code was reading 8. This could result in a corrupted value if the
trailing 3 bytes were non-zero, so instead use an appropriately sized
and zero-initialized bounce buffer, and read only 5 bytes before casting
to u64.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Acked-by: Weilong Chen <chenweilong@huawei.com>
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent d5d53d1b

drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp)
		{
		uint64_t n = 0;
		uint8_t count = 0;
		u8 bksv[sizeof(n)] = { };

		memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t));
		memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv));
		n = (uint64_t )bksv;

		while (n) {
		count++;