diff options
| author | Harry Wentland <harry.wentland@amd.com> | 2026-06-16 12:17:45 -0400 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2026-07-01 13:00:40 -0400 |
| commit | 93c8fe6d56037f284be7116d0c8155847c6d7fbe (patch) | |
| tree | d94e86c2b8e4ed53c43e2a200d0caf1276bd3219 /drivers/gpu/nova-core/fsp/git@git.tavy.me:linux.git | |
| parent | 75050390151a14802be433c3856ddcb483cecd24 (diff) | |
drm/amd/display: guard against overflow in HDCP message dump
[Why]
mod_hdcp_dump_binary_message() computed target_size (a uint32_t) as roughly
byte_size * msg_size and gated the whole write on buf_size >= target_size. A
large msg_size can overflow target_size, wrapping it to a small value that
passes the check while the loop still writes byte_size * msg_size bytes
into buf. All current callers pass small constants so this is not reachable
today, but the unchecked arithmetic should be hardened.
[How]
Drop the overflow-prone target_size precomputation and instead bounds-check the
output position on every iteration, stopping once the next entry would not leave
room for the trailing terminator. This cannot overflow and, for oversized
messages, dumps as much as fits rather than printing nothing.
Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module")
Assisted-by: Copilot:claude-opus-4.8
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: George Zhang <george.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d0a775e5d70b376696245a14c09e3aa6dde0023a)
Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/gpu/nova-core/fsp/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
