drm/bridge/sii8620: Fix memory corruption
authorMaciej Purski <m.purski@samsung.com>
Mon, 21 Aug 2017 10:32:51 +0000 (12:32 +0200)
committerAndrzej Hajda <a.hajda@samsung.com>
Thu, 24 Aug 2017 17:06:32 +0000 (19:06 +0200)
Function sii8620_mt_read_devcap_reg_recv() used to read array index
from a wrong msg register, which caused writing out of array
bounds. It led to writing on other fields of struct sii8620.

Signed-off-by: Maciej Purski <m.purski@samsung.com>
Fixes: e9c6da270 ("drm/bridge/sii8620: add reading device capability
       registers")
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1503311571-25819-1-git-send-email-m.purski@samsung.com
drivers/gpu/drm/bridge/sil-sii8620.c

index 2d51a2269fc610ffc705abcb7a49c1bdcaffbae9..5131bfb94f065ceb20ba61713f990b76f11103cb 100644 (file)
@@ -597,9 +597,9 @@ static void sii8620_mt_read_devcap(struct sii8620 *ctx, bool xdevcap)
 static void sii8620_mt_read_devcap_reg_recv(struct sii8620 *ctx,
                struct sii8620_mt_msg *msg)
 {
-       u8 reg = msg->reg[0] & 0x7f;
+       u8 reg = msg->reg[1] & 0x7f;
 
-       if (msg->reg[0] & 0x80)
+       if (msg->reg[1] & 0x80)
                ctx->xdevcap[reg] = msg->ret;
        else
                ctx->devcap[reg] = msg->ret;