From patchwork Thu Feb 29 13:10:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Shumilin <shum.sdl@nppct.ru>
X-Patchwork-Id: 208360
Return-Path: <linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id
 gs23csp386974dyb;
        Thu, 29 Feb 2024 05:19:52 -0800 (PST)
X-Forwarded-Encrypted: i=3;
 AJvYcCXj5D4uN8LoWP3V8I8M2e8OWnAvbnYQvzrXfm9Tg6/VvQK/dejJibPxDEVqdfP86pKJAjaakKT/cmZroJq0zu/N6AFLXw==
X-Google-Smtp-Source: 
 AGHT+IGffhaSUxtH8wtSiNtykF7vJ3tkbxQ7q2W9R2JFrJqGiiqChnDmyhyF4V80OSuwd3PIcAdU
X-Received: by 2002:a5e:8810:0:b0:7c7:b2ff:9f32 with SMTP id
 l16-20020a5e8810000000b007c7b2ff9f32mr2255094ioj.2.1709212792093;
        Thu, 29 Feb 2024 05:19:52 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709212792; cv=pass;
        d=google.com; s=arc-20160816;
        b=X4igezQ8iCaEtXJPmlebBfbPhsqy0+k167wmmf2K93NXVM+rstdTvRAwnZZMEBy9CW
         f+p3W/lxJlrkcJd+YwyhnL+e+yhs6MC/2M7eGMdOg+3zo7047bPyKfW5ApO48cvUj30n
         xf8ExEEOmWIJl/IGaM1/LDnb6wKgW0r0Zwb4opLeFyxmBVE7/2zK2awNzAwlXZ8LOJCg
         IDH4hoGLvb29lDFS1zL5s/9ZMfshJKBAOlm98lxXRtvKagp3YP/1iDZmlZBkkZghCv9e
         AlwQ3Hcqhh5xztQM6cZf9yGu73JwLobltlKkvO2eFzo+u9uFiVYPaxIP6Kvjc8pw05wW
         Pmcg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=MpJBvsnES1SOaDmtjWG24AC9LaxWp9x02Y5QpmBcNpk=;
        fh=rv5QftEkvz719GzdCujbdWqTRsyS8IG1rtS17F3j7WM=;
        b=qPlpFUBGgxqxIHK4Ed6eNLe996OfQj2+UZzRZ7i+D6ry62DN9j+XwYgZL2Md6PLxIG
         4wAdPUaUBABRVgLVMqMUwf2YuE/fkKHqVm0tFgGv3y7EzbsXlgBwAXEgpiod3obq735n
         W4KCxQv6CbZb+V0PF9o8OjmfMpXS3C57WsBgygB/rpiqcfeQuH8QloHBRs77JFDY/JiO
         2f86y7bgW9RCWK8W4NAzUMvHuZTk5JVUYoPMHU+WxjHv6qBh42EptWG4iEnpUHe/Icyr
         hkMZNOCoxwTm1laYyKQtScNQWK5LMJoa10dqSAdbnh7mnch8lN1Y0q6CidKpQoDp73rV
         xv3g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@nppct.ru header.s=dkim header.b=Fi5mGeks;
       arc=pass (i=1 spf=pass spfdomain=nppct.ru dkim=pass dkdomain=nppct.ru);
       spf=pass (google.com: domain of
 linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org"
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 a192-20020a6390c9000000b005cd88161d2fsi1356879pge.694.2024.02.29.05.19.51
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Feb 2024 05:19:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nppct.ru header.s=dkim header.b=Fi5mGeks;
       arc=pass (i=1 spf=pass spfdomain=nppct.ru dkim=pass dkdomain=nppct.ru);
       spf=pass (google.com: domain of
 linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-86742-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id DBB7528507B
	for <ouuuleilei@gmail.com>; Thu, 29 Feb 2024 13:19:51 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E1AAF7E578;
	Thu, 29 Feb 2024 13:19:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru
 header.b="Fi5mGeks"
Received: from mail.nppct.ru (mail.nppct.ru [195.133.245.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CAF797E10B
	for <linux-kernel@vger.kernel.org>; Thu, 29 Feb 2024 13:19:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.133.245.4
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709212778; cv=none;
 b=f9s+7t9vgrqVF3BNVV9upQSfFnk92gSpf8hkatQrDhCF9xnL4d++urQDo0l/HabIUvS27BD/i1ukiJcQ93+/7vzMw92CMD61r1faHAerLSfQgviDH4pXIUd4PAs4MlXKC1gEX/4iAfPhTD2rrtWIsfn7V0gYjt7txb5Yh2rosaw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709212778; c=relaxed/simple;
	bh=dRCSejW2kzJ3xySBJGPqpUgKdSkvijfiyJXAlXGgd3E=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Omyqni+DKawpMdehRrRPP1zdfGhKqCdgOUAK13sfEj+ZM7jQCZ6uRLRc1l7+IWQyPwP7xin+CJHLqQKUMwtO96WhkF1wCIrBuhoNzPlq8lOJeOMlqMd8AXI7XH7LwTpbmx/wBVvUm39L6AkH5i5n7HTuc6T2IPIJyrp6c4Jza5k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=nppct.ru;
 spf=pass smtp.mailfrom=nppct.ru;
 dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru
 header.b=Fi5mGeks; arc=none smtp.client-ip=195.133.245.4
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=nppct.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=nppct.ru
Received: from mail.nppct.ru (localhost [127.0.0.1])
	by mail.nppct.ru (Postfix) with ESMTP id A1E991C0E74
	for <linux-kernel@vger.kernel.org>; Thu, 29 Feb 2024 16:10:42 +0300 (MSK)
Authentication-Results: mail.nppct.ru (amavisd-new); dkim=pass (1024-bit key)
	reason="pass (just generated, assumed good)" header.d=nppct.ru
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nppct.ru; h=
	content-transfer-encoding:mime-version:x-mailer:message-id:date
	:date:subject:subject:to:from:from; s=dkim; t=1709212242; x=
	1710076243; bh=dRCSejW2kzJ3xySBJGPqpUgKdSkvijfiyJXAlXGgd3E=; b=F
	i5mGeksyN0m1+xAorznCpcY5+pNJC12/Kf9nqXJTCyeYyEuLijZLLay/bWgtmYwz
	7KqUV9VRU5loSUNryWLmXwc4Vklo+jXc/8YmSXLfMXRUx7OQNAW16ddaA16CyT1H
	YWWFDgLNX07bpQiJqRoXUAozo0BL4QF78Spuv9Cz0Q=
X-Virus-Scanned: Debian amavisd-new at mail.nppct.ru
Received: from mail.nppct.ru ([127.0.0.1])
	by mail.nppct.ru (mail.nppct.ru [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id 2CSd_yPFfNRy for <linux-kernel@vger.kernel.org>;
	Thu, 29 Feb 2024 16:10:42 +0300 (MSK)
Received: from localhost.localdomain (mail.dev-ai-melanoma.ru
 [185.130.227.204])
	by mail.nppct.ru (Postfix) with ESMTPSA id 02F0A1C05FF;
	Thu, 29 Feb 2024 16:10:37 +0300 (MSK)
From: Andrey Shumilin <shum.sdl@nppct.ru>
To: Karol Herbst <kherbst@redhat.com>
Cc: Andrey Shumilin <shum.sdl@nppct.ru>,
	Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@redhat.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org,
	khoroshilov@ispras.ru,
	ykarpov@ispras.ru,
	vmerzlyakov@ispras.ru,
	vefanov@ispras.ru
Subject: [PATCH 3/3] drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c:
 BUFFER_OVERFLOW
Date: Thu, 29 Feb 2024 16:10:24 +0300
Message-Id: <20240229131024.636527-1-shum.sdl@nppct.ru>
X-Mailer: git-send-email 2.30.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1792239512463820699
X-GMAIL-MSGID: 1792239512463820699

The mxms_structlen function returns u16 (2 bytes).
Therefore it reads 2 bytes beyond the mxms array.

Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
Found by Linux Verification Center (linuxtesting.org) with SVACE.
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c
index c1acfe642da3..efd0c874742e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mxm/base.c
@@ -47,7 +47,7 @@ mxm_shadow_rom(struct nvkm_mxm *mxm, u8 version)
 	struct nvkm_bios *bios = device->bios;
 	struct nvkm_i2c *i2c = device->i2c;
 	struct nvkm_i2c_bus *bus = NULL;
-	u8 i2cidx, mxms[6], addr, size;
+	u8 i2cidx, mxms[8], addr, size;
 
 	i2cidx = mxm_ddc_map(bios, 1 /* LVDS_DDC */) & 0x0f;
 	if (i2cidx < 0x0f)