On Thu, Nov 18, 2021 at 11:37 AM Amol <suratiamol@xxxxxxxxx> wrote: > > Hello, > > The function radeon_get_atom_connector_info_from_object_table, > at location [1], ends up parsing ATOM_COMMON_TABLE_HEADER > as ATOM_COMMON_RECORD_HEADER if > enc_obj->asObjects[k].usRecordOffset is zero. It is found to be zero > in the BIOS found at [2]. > > Thankfully, the loop that follows exits immediately since ucRecordSize > is 0 because > (ATOM_COMMON_TABLE_HEADER.usStructureSize & 0xff00) is zero. > But, with suitable values in the usStructureSize, the loop can be made to > run and parse garbage. > > A similar loop exists when parsing the conn objects. Can you send a patch to make it more robust? Thanks, Alex > > -Amol > > [1] https://github.com/torvalds/linux/blob/master/drivers/gpu/drm/radeon/radeon_atombios.c#L652 > [2] https://www.techpowerup.com/vgabios/211981/211981
