On Wed, Jun 18, 2014 at 03:37:30PM -0400, Alex Deucher wrote: > On Wed, Jun 18, 2014 at 12:52 PM, Thomas Wood <thomas.wood@xxxxxxxxx> wrote: > > +static ssize_t edid_write(struct file *file, const char __user *ubuf, > > + size_t len, loff_t *offp) > > +{ > > + struct seq_file *m = file->private_data; > > + struct drm_connector *connector = m->private; > > + char *buf; > > + struct edid *edid; > > + int ret; > > + > > + buf = memdup_user(ubuf, len); > > + if (IS_ERR(buf)) > > + return PTR_ERR(buf); > > + > > + edid = (struct edid *) buf; > > + > > + if (len == 5 && !strncmp(buf, "reset", 5)) { > > + connector->override_edid = false; > > + ret = drm_mode_connector_update_edid_property(connector, NULL); > > + } else if (len < EDID_LENGTH || > > + EDID_LENGTH * (1 + edid->extensions) > len) > > + ret = -EINVAL; > > + else { > > + connector->override_edid = false; > > Might be worth doing some minimal validation of the EDID (e.g., make > sure it has a valid header). Actually we also have plans to abuse this for a bit of nasty EDID injection to exercise our parser. So at most we should do just enough checking to make sure the claimed edid length field agrees with the edid itself (which we have), but beyond that any kind of garbage should be allowed imo. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx