On 19/11/2021, Alex Deucher <alexdeucher@xxxxxxxxx> wrote: > On Thu, Nov 18, 2021 at 11:37 AM Amol <suratiamol@xxxxxxxxx> wrote: >> >> Hello, >> >> The function radeon_get_atom_connector_info_from_object_table, >> at location [1], ends up parsing ATOM_COMMON_TABLE_HEADER >> as ATOM_COMMON_RECORD_HEADER if >> enc_obj->asObjects[k].usRecordOffset is zero. It is found to be zero >> in the BIOS found at [2]. >> >> Thankfully, the loop that follows exits immediately since ucRecordSize >> is 0 because >> (ATOM_COMMON_TABLE_HEADER.usStructureSize & 0xff00) is zero. >> But, with suitable values in the usStructureSize, the loop can be made to >> run and parse garbage. >> >> A similar loop exists when parsing the conn objects. > > Can you send a patch to make it more robust? Sent on a separate email. Thanks, Amol > > Thanks, > > Alex > >> >> -Amol >> >> [1] >> https://github.com/torvalds/linux/blob/master/drivers/gpu/drm/radeon/radeon_atombios.c#L652 >> [2] https://www.techpowerup.com/vgabios/211981/211981 >
