[PATCH] drm/radeon: more sanity checks (usRecordOffset) to obj info record parsing

[Amol Surati <suratiamol@xxxxxxxxx>]

When parsing Encoder, Connector, or Router records, if the
usRecordOffset field is 0, the driver ends up dereferencing
ATOM_COMMON_TABLE_HEADER of the Object Table as
ATOM_COMMON_RECORD_HEADER.

A BIOS, which triggers such dereferences when parsing the
Encoder records, is found on Cedar Radeon HD 7350/8350 GPU.

Allow record dereferences only if usRecordOffset is non-zero.

Signed-off-by: Amol Surati <suratiamol@xxxxxxxxx>
---
 drivers/gpu/drm/radeon/radeon_atombios.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 28c4413f4..bab0e1cc2 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -646,14 +646,15 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
 				if (grph_obj_type == GRAPH_OBJECT_TYPE_ENCODER) {
 					for (k = 0; k < enc_obj->ucNumberOfObjects; k++) {
 						u16 encoder_obj = le16_to_cpu(enc_obj->asObjects[k].usObjectID);
+						u16 rec_offset = le16_to_cpu(enc_obj->asObjects[k].usRecordOffset);
 						if (le16_to_cpu(path->usGraphicObjIds[j]) == encoder_obj) {
 							ATOM_COMMON_RECORD_HEADER *record = (ATOM_COMMON_RECORD_HEADER *)
-								(ctx->bios + data_offset +
-								 le16_to_cpu(enc_obj->asObjects[k].usRecordOffset));
+								(ctx->bios + data_offset + rec_offset);
 							ATOM_ENCODER_CAP_RECORD *cap_record;
 							u16 caps = 0;
 
-							while (record->ucRecordSize > 0 &&
+							while (rec_offset > 0 &&
+							       record->ucRecordSize > 0 &&
 							       record->ucRecordType > 0 &&
 							       record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
 								switch (record->ucRecordType) {
@@ -677,10 +678,10 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
 				} else if (grph_obj_type == GRAPH_OBJECT_TYPE_ROUTER) {
 					for (k = 0; k < router_obj->ucNumberOfObjects; k++) {
 						u16 router_obj_id = le16_to_cpu(router_obj->asObjects[k].usObjectID);
+						u16 rec_offset = le16_to_cpu(router_obj->asObjects[k].usRecordOffset);
 						if (le16_to_cpu(path->usGraphicObjIds[j]) == router_obj_id) {
 							ATOM_COMMON_RECORD_HEADER *record = (ATOM_COMMON_RECORD_HEADER *)
-								(ctx->bios + data_offset +
-								 le16_to_cpu(router_obj->asObjects[k].usRecordOffset));
+								(ctx->bios + data_offset + rec_offset);
 							ATOM_I2C_RECORD *i2c_record;
 							ATOM_I2C_ID_CONFIG_ACCESS *i2c_config;
 							ATOM_ROUTER_DDC_PATH_SELECT_RECORD *ddc_path;
@@ -702,7 +703,8 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
 									break;
 							}
 
-							while (record->ucRecordSize > 0 &&
+							while (rec_offset > 0 &&
+							       record->ucRecordSize > 0 &&
 							       record->ucRecordType > 0 &&
 							       record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
 								switch (record->ucRecordType) {
@@ -753,19 +755,18 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
 					if (le16_to_cpu(path->usConnObjectId) ==
 					    le16_to_cpu(con_obj->asObjects[j].
 							usObjectID)) {
+						u16 rec_offset = le16_to_cpu(con_obj->asObjects[j].usRecordOffset);
 						ATOM_COMMON_RECORD_HEADER
 						    *record =
 						    (ATOM_COMMON_RECORD_HEADER
 						     *)
-						    (ctx->bios + data_offset +
-						     le16_to_cpu(con_obj->
-								 asObjects[j].
-								 usRecordOffset));
+						    (ctx->bios + data_offset + rec_offset);
 						ATOM_I2C_RECORD *i2c_record;
 						ATOM_HPD_INT_RECORD *hpd_record;
 						ATOM_I2C_ID_CONFIG_ACCESS *i2c_config;
 
-						while (record->ucRecordSize > 0 &&
+						while (rec_offset > 0 &&
+						       record->ucRecordSize > 0 &&
 						       record->ucRecordType > 0 &&
 						       record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
 							switch (record->ucRecordType) {
-- 
2.33.1