Skip to content

Commit

Permalink
drm/radeon: possible buffer overflow
Browse files Browse the repository at this point in the history
Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is
checked after access.

Fixes: 5cc4e5f ("drm/radeon: Cleanup HDMI audio interrupt handling for evergreen")
Co-developed-by: Ivanov Mikhail <[email protected]>
Signed-off-by: Konstantin Meskhidze <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
  • Loading branch information
BoardzMaster authored and alexdeucher committed Aug 30, 2023
1 parent 95dd6ef commit dd05484
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions drivers/gpu/drm/radeon/evergreen.c
Original file line number Diff line number Diff line change
Expand Up @@ -4821,14 +4821,15 @@ int evergreen_irq_process(struct radeon_device *rdev)
break;
case 44: /* hdmi */
afmt_idx = src_data;
if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG))
DRM_DEBUG("IH: IH event w/o asserted irq bit?\n");

if (afmt_idx > 5) {
DRM_ERROR("Unhandled interrupt: %d %d\n",
src_id, src_data);
break;
}

if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG))
DRM_DEBUG("IH: IH event w/o asserted irq bit?\n");

afmt_status[afmt_idx] &= ~AFMT_AZ_FORMAT_WTRIG;
queue_hdmi = true;
DRM_DEBUG("IH: HDMI%d\n", afmt_idx + 1);
Expand Down

0 comments on commit dd05484

Please sign in to comment.