From patchwork Tue Oct 21 10:55:19 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
X-Patchwork-Id: 5120131
Return-Path: <ltsi-dev-bounces@lists.linuxfoundation.org>
X-Original-To: patchwork-ltsi-dev@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id B21AAC11AC
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 11:53:37 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D335C20138
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 11:53:36 +0000 (UTC)
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id DF28A20121
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 11:53:35 +0000 (UTC)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 42079B7E;
	Tue, 21 Oct 2014 11:10:53 +0000 (UTC)
X-Original-To: ltsi-dev@lists.linuxfoundation.org
Delivered-To: ltsi-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 628421223
	for <ltsi-dev@lists.linuxfoundation.org>;
	Tue, 21 Oct 2014 11:10:51 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id B5FA21FA0F
	for <ltsi-dev@lists.linuxfoundation.org>;
	Tue, 21 Oct 2014 11:10:50 +0000 (UTC)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga101.fm.intel.com with ESMTP; 21 Oct 2014 04:10:50 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.04,761,1406617200"; d="scan'208";a="617798940"
Received: from ubuntu-desktop.png.intel.com ([10.221.122.25])
	by fmsmga002.fm.intel.com with ESMTP; 21 Oct 2014 04:10:49 -0700
From: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
To: ltsi-dev@lists.linuxfoundation.org
Date: Tue, 21 Oct 2014 18:55:19 +0800
Message-Id: <1413889294-31328-720-git-send-email-dheerajx.s.jamwal@intel.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
References: <dheerajx.s.jamwal@intel.com>
	<1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
X-Spam-Status: No, score=-5.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
Subject: [LTSI-dev] [PATCH 0719/1094] drm/i915: Validate VBT header before
	trusting it
X-BeenThere: ltsi-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "A list to discuss patches, development,
	and other things related to the LTSI project"
	<ltsi-dev.lists.linuxfoundation.org>
List-Unsubscribe: 
 <https://lists.linuxfoundation.org/mailman/options/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/ltsi-dev/>
List-Post: <mailto:ltsi-dev@lists.linuxfoundation.org>
List-Help: <mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=subscribe>
MIME-Version: 1.0
Sender: ltsi-dev-bounces@lists.linuxfoundation.org
Errors-To: ltsi-dev-bounces@lists.linuxfoundation.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Chris Wilson <chris@chris-wilson.co.uk>

Be we read and chase pointers from the VBT, it is prudent to make sure
that those accesses are wholly contained within the MMIO region, or else
we may cause a kernel panic during boot.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit 3dd4e846042063bf5481df87a00356ee820288de)

Signed-off-by: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
---
 drivers/gpu/drm/i915/intel_bios.c |   68 +++++++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 18 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
index 8f8b11a..6b65096 100644
--- a/drivers/gpu/drm/i915/intel_bios.c
+++ b/drivers/gpu/drm/i915/intel_bios.c
@@ -1129,6 +1129,46 @@ static const struct dmi_system_id intel_no_opregion_vbt[] = {
 	{ }
 };
 
+static struct bdb_header *validate_vbt(char *base, size_t size,
+				       struct vbt_header *vbt,
+				       const char *source)
+{
+	size_t offset;
+	struct bdb_header *bdb;
+
+	if (vbt == NULL) {
+		DRM_DEBUG_DRIVER("VBT signature missing\n");
+		return NULL;
+	}
+
+	offset = (char *)vbt - base;
+	if (offset + sizeof(struct vbt_header) > size) {
+		DRM_DEBUG_DRIVER("VBT header incomplete\n");
+		return NULL;
+	}
+
+	if (memcmp(vbt->signature, "$VBT", 4)) {
+		DRM_DEBUG_DRIVER("VBT invalid signature\n");
+		return NULL;
+	}
+
+	offset += vbt->bdb_offset;
+	if (offset + sizeof(struct bdb_header) > size) {
+		DRM_DEBUG_DRIVER("BDB header incomplete\n");
+		return NULL;
+	}
+
+	bdb = (struct bdb_header *)(base + offset);
+	if (offset + bdb->bdb_size > size) {
+		DRM_DEBUG_DRIVER("BDB incomplete\n");
+		return NULL;
+	}
+
+	DRM_DEBUG_KMS("Using VBT from %s: %20s\n",
+		      source, vbt->signature);
+	return bdb;
+}
+
 /**
  * intel_parse_bios - find VBT and initialize settings from the BIOS
  * @dev: DRM device
@@ -1152,20 +1192,13 @@ intel_parse_bios(struct drm_device *dev)
 	init_vbt_defaults(dev_priv);
 
 	/* XXX Should this validation be moved to intel_opregion.c? */
-	if (!dmi_check_system(intel_no_opregion_vbt) && dev_priv->opregion.vbt) {
-		struct vbt_header *vbt = dev_priv->opregion.vbt;
-		if (memcmp(vbt->signature, "$VBT", 4) == 0) {
-			DRM_DEBUG_KMS("Using VBT from OpRegion: %20s\n",
-					 vbt->signature);
-			bdb = (struct bdb_header *)((char *)vbt + vbt->bdb_offset);
-		} else
-			dev_priv->opregion.vbt = NULL;
-	}
+	if (!dmi_check_system(intel_no_opregion_vbt) && dev_priv->opregion.vbt)
+		bdb = validate_vbt((char *)dev_priv->opregion.header, OPREGION_SIZE,
+				   (struct vbt_header *)dev_priv->opregion.vbt,
+				   "OpRegion");
 
 	if (bdb == NULL) {
-		struct vbt_header *vbt = NULL;
-		size_t size;
-		int i;
+		size_t i, size;
 
 		bios = pci_map_rom(pdev, &size);
 		if (!bios)
@@ -1173,19 +1206,18 @@ intel_parse_bios(struct drm_device *dev)
 
 		/* Scour memory looking for the VBT signature */
 		for (i = 0; i + 4 < size; i++) {
-			if (!memcmp(bios + i, "$VBT", 4)) {
-				vbt = (struct vbt_header *)(bios + i);
+			if (memcmp(bios + i, "$VBT", 4) == 0) {
+				bdb = validate_vbt(bios, size,
+						   (struct vbt_header *)(bios + i),
+						   "PCI ROM");
 				break;
 			}
 		}
 
-		if (!vbt) {
-			DRM_DEBUG_DRIVER("VBT signature missing\n");
+		if (!bdb) {
 			pci_unmap_rom(pdev, bios);
 			return -1;
 		}
-
-		bdb = (struct bdb_header *)(bios + i + vbt->bdb_offset);
 	}
 
 	/* Grab useful general definitions */