On Tue, May 13, 2014 at 03:36:59PM -0700, Jesse Barnes wrote:
> On Tue, 25 Mar 2014 12:57:32 +0000
> Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote:
>
> > Make sure that the whole BDB section is within the MMIO region prior to
> > accessing it contents. That we don't read outside of the secion is left
> > up to the individual section parsers.
> >
> > Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> > ---
> > drivers/gpu/drm/i915/intel_bios.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> > index de9aabe2d8c2..8ca1cd5b2517 100644
> > --- a/drivers/gpu/drm/i915/intel_bios.c
> > +++ b/drivers/gpu/drm/i915/intel_bios.c
> > @@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id)
> > total = bdb->bdb_size;
> >
> > /* walk the sections looking for section_id */
> > - while (index < total) {
> > + while (index + 3 < total) {
> > current_id = *(base + index);
> > index++;
> > +
> > current_size = *((u16 *)(base + index));
> > index += 2;
> > +
> > + if (index + current_size > total)
> > + return NULL;
> > +
> > if (current_id == section_id)
> > return base + index;
> > +
> > index += current_size;
> > }
> >
>
> Oh cool, did we see stuff in the wild where it all went sideways?
Fallout from review and imo justified given how the vbt is cobbled
together in general. Nothing spotted in the wild yet afaik.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
