Re: [PATCH 6.1.y] drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed

From: Christian König <christian.koenig@amd.com>
To: Greg KH <gregkh@linuxfoundation.org>, cve@kernel.org
Cc: Li hongliang <1468888505@139.com>,
	srinivasan.shanmugam@amd.com, patches@lists.linux.dev,
	linux-kernel@vger.kernel.org, alexander.deucher@amd.com,
	Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch,
	sashal@kernel.org, guchun.chen@amd.com,
	amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 6.1.y] drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'
Date: Mon, 23 Mar 2026 13:28:24 +0100	[thread overview]
Message-ID: <bd383c94-8350-420c-adbf-cc02a9918a37@amd.com> (raw)
In-Reply-To: <2026032346-ruse-dork-baf3@gregkh>

Hi Greg,

On 3/23/26 11:32, Greg KH wrote:
> On Mon, Mar 23, 2026 at 10:51:18AM +0100, Christian König wrote:
>> Hi Li,
>>
>> On 3/23/26 08:10, Li hongliang wrote:
>>> From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
>>>
>>> [ Upstream commit cdb637d339572398821204a1142d8d615668f1e9 ]
>>>
>>> The issue arises when the array 'adev->vcn.vcn_config' is accessed
>>> before checking if the index 'adev->vcn.num_vcn_inst' is within the
>>> bounds of the array.
>>>
>>> The fix involves moving the bounds check before the array access. This
>>> ensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array
>>> before it is used as an index.
>>>
>>> Fixes the below:
>>> drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use.
>>
>> well this patch only fixed a compiler warning and has not much practical value otherwise.
>>
>> Why are you sending this for inclusion into the 6.1 kernel?
> 
> Perhaps because it was assigned to CVE-2024-27042?  If this is ONLY a
> compiler warning fix, and NOT an actual vulnerability fix, please let
> cve@kernel.org know about that and they will revoke this CVE.

Thanks a lot for pointing that out, adding cve@kernel.org.

As far as I can see the CVE-2024-27042 is not valid or at least not correctly categorized.

It is correct that there is a potential array overrun in amdgpu_discovery_reg_base_init(), but that function is used to parse a VBIOS table from a flash EEPROM located on the HW and not user input.

If an attacker already had the ability to modify that EEPROM he could just overwrite the VBIOS code were parts are directly executed at bootup and/or driver load. So this problem here wouldn't be needed at all.

It is good that this warning is fixed, but as far as I can see there is no reason whatsoever to backport it nor to assign a CVE entry for it.

Regards,
Christian.

> 
> thanks,
> 
> greg k-h

next prev parent reply	other threads:[~2026-03-23 12:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-23  7:10 [PATCH 6.1.y] drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()' Li hongliang
2026-03-23  9:51 ` Christian König
2026-03-23 10:32   ` Greg KH
2026-03-23 12:28     ` Christian König [this message]
2026-03-23 12:37       ` Greg KH
2026-03-24  0:52         ` Re:Re: [PATCH 6.1.y] drm/amdgpu: Fix potential out-of-bounds access in'amdgpu_discovery_reg_base_init()' 18801328227
2026-03-24 22:02 ` Claude review: drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()' Claude Code Review Bot
2026-03-24 22:02 ` Claude Code Review Bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bd383c94-8350-420c-adbf-cc02a9918a37@amd.com \
    --to=christian.koenig@amd.com \
    --cc=1468888505@139.com \
    --cc=Xinhui.Pan@amd.com \
    --cc=airlied@gmail.com \
    --cc=alexander.deucher@amd.com \
    --cc=amd-gfx@lists.freedesktop.org \
    --cc=cve@kernel.org \
    --cc=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=guchun.chen@amd.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=srinivasan.shanmugam@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox