On Wed, Jun 18, 2014 at 03:37:30PM -0400, Alex Deucher wrote:
> On Wed, Jun 18, 2014 at 12:52 PM, Thomas Wood <thomas.wood@xxxxxxxxx> wrote:
> > +static ssize_t edid_write(struct file *file, const char __user *ubuf,
> > + size_t len, loff_t *offp)
> > +{
> > + struct seq_file *m = file->private_data;
> > + struct drm_connector *connector = m->private;
> > + char *buf;
> > + struct edid *edid;
> > + int ret;
> > +
> > + buf = memdup_user(ubuf, len);
> > + if (IS_ERR(buf))
> > + return PTR_ERR(buf);
> > +
> > + edid = (struct edid *) buf;
> > +
> > + if (len == 5 && !strncmp(buf, "reset", 5)) {
> > + connector->override_edid = false;
> > + ret = drm_mode_connector_update_edid_property(connector, NULL);
> > + } else if (len < EDID_LENGTH ||
> > + EDID_LENGTH * (1 + edid->extensions) > len)
> > + ret = -EINVAL;
> > + else {
> > + connector->override_edid = false;
>
> Might be worth doing some minimal validation of the EDID (e.g., make
> sure it has a valid header).
Actually we also have plans to abuse this for a bit of nasty EDID
injection to exercise our parser. So at most we should do just enough
checking to make sure the claimed edid length field agrees with the edid
itself (which we have), but beyond that any kind of garbage should be
allowed imo.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
