Re: [PATCH v2] drm: fix off-by-one in logger

From: Norbert Manthey
Date: Wed May 23 2018 - 04:59:01 EST

Next message: Souptick Joarder: "Re: [PATCH v2] gpu: drm: udl: Adding new typedef vm_fault_t"
Previous message: Mark Brown: "Re: [alsa-devel] [RFC/RFT PATCH] ASoC: topology: Improve backwards compatibility with v4 topology files"
In reply to: Norbert Manthey: "[PATCH v2] drm: fix off-by-one in logger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear all,

I just noticed that replying to my earlier email thread failed, and that
I thereby created a new thread. The original thread is the following one:
https://lkml.org/lkml/2018/2/16/274

I am sorry for the confusion!

Best,
Norbert

On 05/23/2018 08:22 AM, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
>
> The full trace is as follows:
>
> In function âmemmoveâ,
> from âappend_entryâ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
> from âdm_logger_append_vaâ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
> detected read beyond size of object passed as 2nd parameter
>
> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>
> ---
> drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 31bee05..6ba8d0c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -244,7 +244,7 @@ static void log_heading(struct log_entry *entry)
>
> static void append_entry(
> struct log_entry *entry,
> - char *buffer,
> + const char *buffer,
> uint32_t buf_size)
> {
> if (!entry->buf ||
> @@ -346,7 +346,9 @@ void dm_logger_append_va(
> if (size < LOG_MAX_LINE_SIZE - 1) {
> append_entry(entry, buffer, size);
> } else {
> - append_entry(entry, "LOG_ERROR, line too long\n", 27);
> + static const char msg[] = "LOG_ERROR, line too long\n";
> +
> + append_entry(entry, msg, sizeof(msg));
> }
> }
> }

Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

Next message: Souptick Joarder: "Re: [PATCH v2] gpu: drm: udl: Adding new typedef vm_fault_t"
Previous message: Mark Brown: "Re: [alsa-devel] [RFC/RFT PATCH] ASoC: topology: Improve backwards compatibility with v4 topology files"
In reply to: Norbert Manthey: "[PATCH v2] drm: fix off-by-one in logger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]