]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
drm/amd/display: guard against overflow in HDCP message dump
authorHarry Wentland <harry.wentland@amd.com>
Tue, 16 Jun 2026 16:17:45 +0000 (12:17 -0400)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 1 Jul 2026 17:00:40 +0000 (13:00 -0400)
[Why]
mod_hdcp_dump_binary_message() computed target_size (a uint32_t) as roughly
byte_size * msg_size and gated the whole write on buf_size >= target_size. A
large msg_size can overflow target_size, wrapping it to a small value that
passes the check while the loop still writes byte_size * msg_size bytes
into buf. All current callers pass small constants so this is not reachable
today, but the unchecked arithmetic should be hardened.

[How]
Drop the overflow-prone target_size precomputation and instead bounds-check the
output position on every iteration, stopping once the next entry would not leave
room for the trailing terminator. This cannot overflow and, for oversized
messages, dumps as much as fits rather than printing nothing.

Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module")
Assisted-by: Copilot:claude-opus-4.8
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: George Zhang <george.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d0a775e5d70b376696245a14c09e3aa6dde0023a)
Cc: stable@vger.kernel.org
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_log.c

index 1164fd96b714c859c1dc79d18b082f88ca9da341..f0f8e280ed30a4c8e79d351b620e569b2bb7e803 100644 (file)
@@ -33,22 +33,28 @@ void mod_hdcp_dump_binary_message(uint8_t *msg, uint32_t msg_size,
                        byte_size = 3,
                        newline_size = 1,
                        terminator_size = 1;
-       uint32_t line_count = msg_size / bytes_per_line,
-                       trailing_bytes = msg_size % bytes_per_line;
-       uint32_t target_size = (byte_size * bytes_per_line + newline_size) * line_count +
-                       byte_size * trailing_bytes + newline_size + terminator_size;
        uint32_t buf_pos = 0;
        uint32_t i = 0;
 
-       if (buf_size >= target_size) {
-               for (i = 0; i < msg_size; i++) {
-                       if (i % bytes_per_line == 0)
-                               buf[buf_pos++] = '\n';
-                       sprintf((char *)&buf[buf_pos], "%02X ", msg[i]);
-                       buf_pos += byte_size;
-               }
-               buf[buf_pos++] = '\0';
+       /* Need room for at least the terminator. */
+       if (buf_size < terminator_size)
+               return;
+
+       for (i = 0; i < msg_size; i++) {
+               uint32_t needed = byte_size + terminator_size;
+
+               if (i % bytes_per_line == 0)
+                       needed += newline_size;
+
+               if (buf_pos + needed > buf_size)
+                       break;
+
+               if (i % bytes_per_line == 0)
+                       buf[buf_pos++] = '\n';
+               sprintf((char *)&buf[buf_pos], "%02X ", msg[i]);
+               buf_pos += byte_size;
        }
+       buf[buf_pos++] = '\0';
 }
 
 void mod_hdcp_log_ddc_trace(struct mod_hdcp *hdcp)