From patchwork Fri Apr 18 21:04:23 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rodrigo Vivi X-Patchwork-Id: 4018541 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 6817E9F369 for ; Fri, 18 Apr 2014 21:04:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 924A0203AC for ; Fri, 18 Apr 2014 21:04:46 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id C67B72038D for ; Fri, 18 Apr 2014 21:04:45 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3BC1D6ECF4; Fri, 18 Apr 2014 14:04:45 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mail-pd0-f178.google.com (mail-pd0-f178.google.com [209.85.192.178]) by gabe.freedesktop.org (Postfix) with ESMTP id B110F6ECF2 for ; Fri, 18 Apr 2014 14:04:43 -0700 (PDT) Received: by mail-pd0-f178.google.com with SMTP id x10so1776579pdj.9 for ; Fri, 18 Apr 2014 14:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=T6lsvWLq6uJdd0UiOY3qXcB0nCLqefOjePE7g/2K6Qk=; b=KRLheYElGQX42FwQ2iEmp4A3q7n2Myk6vyL/PNBVOuqtdP0A8CHtHpVDOsjztvziWb sV6OU9gnbpi272UFfu2WuVoxWkCiAtoloMg8lsTWvO+Rcs+LEVz/HAEgdwQEofskXaVL bwlynUKlZKzffgeJqb5FN/VyFy+0RjPsa7kwMntzyBevYagG09DI94OQ1m0F+loV4TxP STPRyyc0zlvuS0uM+ku72OqULFTbu5e5yxqLrvBtrkmKl6TOCjLgbS+SkM36jxKT4FSS A8JZbwsdd9v2nSeeon0YY/7ro6lRf16m+s2MSuknovFp+FkSY+CHdgdSrSUP3hkV+4DN Qo5Q== X-Received: by 10.66.184.239 with SMTP id ex15mr24051729pac.122.1397855083606; Fri, 18 Apr 2014 14:04:43 -0700 (PDT) Received: from localhost (jfdmzpr03-ext.jf.intel.com. [134.134.139.72]) by mx.google.com with ESMTPSA id vg1sm61793933pbc.44.2014.04.18.14.04.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Apr 2014 14:04:42 -0700 (PDT) From: Rodrigo Vivi To: intel-gfx@lists.freedesktop.org Date: Fri, 18 Apr 2014 18:04:23 -0300 Message-Id: <1397855070-4480-8-git-send-email-rodrigo.vivi@gmail.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1397855070-4480-1-git-send-email-rodrigo.vivi@gmail.com> References: <1397855070-4480-1-git-send-email-rodrigo.vivi@gmail.com> Subject: [Intel-gfx] [PATCH 07/14] drm/i915: Validate BDB section before reading X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Chris Wilson Make sure that the whole BDB section is within the MMIO region prior to accessing it contents. That we don't read outside of the secion is left up to the individual section parsers. Signed-off-by: Chris Wilson Signed-off-by: Rodrigo Vivi Reviewed-by: Shobhit Kumar --- drivers/gpu/drm/i915/intel_bios.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c index fc9e806..2945f57 100644 --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id) total = bdb->bdb_size; /* walk the sections looking for section_id */ - while (index < total) { + while (index + 3 < total) { current_id = *(base + index); index++; + current_size = *((u16 *)(base + index)); index += 2; + + if (index + current_size > total) + return NULL; + if (current_id == section_id) return base + index; + index += current_size; }