Commit ff00ff96 authored by Lucas De Marchi's avatar Lucas De Marchi

drm/i915/bios: make sure to check vbt size

When we call intel_bios_is_valid_vbt(), size may not actually be the
size of the VBT, but rather the size of the blob the VBT is contained
in. For example, when mapping the PCI oprom, size will be the entire
oprom size. We don't want to read beyond what is reported to be the
VBT. So make sure we vbt->vbt_size makes sense and use that for
the latter checks.

v2: check for vbt_size after checking for vbt signature and give it a
more meaningful error message (from Jani)
Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
Reviewed-by: default avatarJani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191108003602.33526-3-lucas.demarchi@intel.com
parent 496f50a6
...@@ -1772,6 +1772,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size) ...@@ -1772,6 +1772,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size)
return false; return false;
} }
if (vbt->vbt_size > size) {
DRM_DEBUG_DRIVER("VBT incomplete (vbt_size overflows)\n");
return false;
}
size = vbt->vbt_size;
if (range_overflows_t(size_t, if (range_overflows_t(size_t,
vbt->bdb_offset, vbt->bdb_offset,
sizeof(struct bdb_header), sizeof(struct bdb_header),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment