drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

PlaidCat · PlaidCat · commit db79970e0b71 · 2025-06-06T13:31:01.000-04:00
jira LE-3201 cve CVE-2024-27042 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10 commit-author Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> commit cdb637d Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/cdb637d3.failed The issue arises when the array 'adev->vcn.vcn_config' is accessed before checking if the index 'adev->vcn.num_vcn_inst' is within the bounds of the array. The fix involves moving the bounds check before the array access. This ensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array before it is used as an index. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use. Fixes: a0ccc71 ("drm/amdgpu/discovery: validate VCN and SDMA instances") Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit cdb637d) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
diff --git a/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/cdb637d3.failed b/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/cdb637d3.failed
@@ -0,0 +1,71 @@
+drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'
+
+jira LE-3201
+cve CVE-2024-27042
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
+commit-author Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+commit cdb637d339572398821204a1142d8d615668f1e9
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/cdb637d3.failed
+
+The issue arises when the array 'adev->vcn.vcn_config' is accessed
+before checking if the index 'adev->vcn.num_vcn_inst' is within the
+bounds of the array.
+
+The fix involves moving the bounds check before the array access. This
+ensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array
+before it is used as an index.
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use.
+
+Fixes: a0ccc717c4ab ("drm/amdgpu/discovery: validate VCN and SDMA instances")
+	Cc: Christian König <christian.koenig@amd.com>
+	Cc: Alex Deucher <alexander.deucher@amd.com>
+	Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+	Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+	Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit cdb637d339572398821204a1142d8d615668f1e9)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+diff --cc drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+index c65765f9aad1,118288b64487..000000000000
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+@@@ -1141,15 -1282,21 +1141,27 @@@ static int amdgpu_discovery_reg_base_in
+  				 *     0b10 : encode is disabled
+  				 *     0b01 : decode is disabled
+  				 */
+++<<<<<<< HEAD
+ +				adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =
+ +					ip->revision & 0xc0;
+ +				ip->revision &= ~0xc0;
+ +				if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES)
+++=======
++ 				if (adev->vcn.num_vcn_inst <
++ 				    AMDGPU_MAX_VCN_INSTANCES) {
++ 					adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =
++ 						ip->revision & 0xc0;
+++>>>>>>> cdb637d33957 (drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()')
+  					adev->vcn.num_vcn_inst++;
+ -					adev->vcn.inst_mask |=
+ -						(1U << ip->instance_number);
+ -					adev->jpeg.inst_mask |=
+ -						(1U << ip->instance_number);
+ -				} else {
+ +				else
+  					dev_err(adev->dev, "Too many VCN instances: %d vs %d\n",
+  						adev->vcn.num_vcn_inst + 1,
+  						AMDGPU_MAX_VCN_INSTANCES);
+++<<<<<<< HEAD
+++=======
++ 				}
++ 				ip->revision &= ~0xc0;
+++>>>>>>> cdb637d33957 (drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()')
+  			}
+  			if (le16_to_cpu(ip->hw_id) == SDMA0_HWID ||
+  			    le16_to_cpu(ip->hw_id) == SDMA1_HWID ||
+* Unmerged path drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
