tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/amd/display: Check msg_id before processing transcation

[WHY & HOW]
HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid
array index, and it needs checking before used.

This fixes 4 OVERRUN issues reported by Coverity.

Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Alex Hung and committed by
Alex Deucher fa71face efabdce3

+15 -2
+15 -2
drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
··· 128 128 const uint8_t hdcp_i2c_addr_link_primary = 0x3a; /* 0x74 >> 1*/ 129 129 const uint8_t hdcp_i2c_addr_link_secondary = 0x3b; /* 0x76 >> 1*/ 130 130 struct i2c_command i2c_command; 131 - uint8_t offset = hdcp_i2c_offsets[message_info->msg_id]; 131 + uint8_t offset; 132 132 struct i2c_payload i2c_payloads[] = { 133 - { true, 0, 1, &offset }, 133 + { true, 0, 1, 0 }, 134 134 /* actual hdcp payload, will be filled later, zeroed for now*/ 135 135 { 0 } 136 136 }; 137 + 138 + if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) { 139 + DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id); 140 + return false; 141 + } 142 + 143 + offset = hdcp_i2c_offsets[message_info->msg_id]; 144 + i2c_payloads[0].data = &offset; 137 145 138 146 switch (message_info->link) { 139 147 case HDCP_LINK_SECONDARY: ··· 316 308 struct dc_link *link, 317 309 struct hdcp_protection_message *message_info) 318 310 { 311 + if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) { 312 + DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id); 313 + return false; 314 + } 315 + 319 316 return dpcd_access_helper( 320 317 link, 321 318 message_info->length,