drm/amd/pm: bound OD parameter parsing to stack array size

Reject inputs once parameter_size reaches the array limit, and pass
ARRAY_SIZE(parameter) into parse_input_od_command_lines() for defense in
depth.

Signed-off-by: Candice Li <candice.li@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
index 714c702b4f8cbd3357a4a9a306fc1bc50d4a06a9..a21d1506e6ab5e19acd0a283773b184bcf36f5af 100644 (file)
--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
@@ -806,6 +806,8 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev,
        while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) {
                if (strlen(sub_str) == 0)
                        continue;
+               if (parameter_size >= ARRAY_SIZE(parameter))
+                       return -EINVAL;
                ret = kstrtol(sub_str, 0, &parameter[parameter_size]);
                if (ret)
                        return -EINVAL;
@@ -3957,6 +3959,7 @@ static int parse_input_od_command_lines(const char *buf,
                                        size_t count,
                                        u32 *type,
                                        long *params,
+                                       size_t params_max,
                                        uint32_t *num_of_params)
 {
        const char delimiter[3] = {' ', '\n', '\0'};
@@ -3992,6 +3995,9 @@ static int parse_input_od_command_lines(const char *buf,
                if (strlen(sub_str) == 0)
                        continue;
 
+               if (parameter_size >= params_max)
+                       return -EINVAL;
+
                ret = kstrtol(sub_str, 0, &params[parameter_size]);
                if (ret)
                        return -EINVAL;
@@ -4023,6 +4029,7 @@ amdgpu_distribute_custom_od_settings(struct amdgpu_device *adev,
                                           count,
                                           &cmd_type,
                                           parameter,
+                                          ARRAY_SIZE(parameter),
                                           &parameter_size);
        if (ret)
                return ret;