On Fri, Jul 10, 2015 at 02:10:54PM +0300, Antti Koskipaa wrote:
> VBT version 196 increased the size of common_child_dev_config. The parser
> code assumed that the size of this structure would not change.
>
> So now, instead of checking for smaller size, check that the VBT entry is
> not too large and memcpy only child_dev_size amount of data, leaving any
> trailing entries as zero. If this is not good enough for the future,
> we can always sprinkle extra version checks in there.
>
> Signed-off-by: Antti Koskipaa <antti.koskipaa@xxxxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/i915/intel_bios.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> index 2ff9eb0..763a636 100644
> --- a/drivers/gpu/drm/i915/intel_bios.c
> +++ b/drivers/gpu/drm/i915/intel_bios.c
> @@ -1022,10 +1022,15 @@ parse_device_mapping(struct drm_i915_private *dev_priv,
> DRM_DEBUG_KMS("No general definition block is found, no devices defined.\n");
> return;
> }
> - if (p_defs->child_dev_size < sizeof(*p_child)) {
> + /* Historically, child_dev_size has to be at least 33 bytes in size. */
> + if (p_defs->child_dev_size < 33) {
> DRM_ERROR("General definiton block child device size is too small.\n");
"definition"
> return;
> }
> + if (p_defs->child_dev_size > sizeof(*p_child)) {
> + DRM_ERROR("General definiton block child device size is too large.\n");
"definition"
> + return;
> + }
> /* get the block size of general definitions */
> block_size = get_blocksize(p_defs);
> /* get the number of child device */
> @@ -1070,7 +1075,7 @@ parse_device_mapping(struct drm_i915_private *dev_priv,
>
> child_dev_ptr = dev_priv->vbt.child_dev + count;
> count++;
> - memcpy(child_dev_ptr, p_child, sizeof(*p_child));
> + memcpy(child_dev_ptr, p_child, p_defs->child_dev_size);
> }
> return;
> }
> --
> 2.3.6
>
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
