[Nouveau] [PATCH] drm/nouveau: fix off by one in BIOS boundry checking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nick Lopez <github@glowingmonkey.org>
To: nouveau@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: Nick Lopez <github@glowingmonkey.org>
Subject: [Nouveau] [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
Date: Sat, 22 Jan 2022 01:19:06 -0700	[thread overview]
Message-ID: <20220122081906.2633061-1-github@glowingmonkey.org> (raw)

Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.

This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provides by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accesseed.

Signed-off-by: Nick Lopez <github@glowingmonkey.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
index d0f52d59fc2f..64e423dddd9e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
 		*addr += bios->imaged_addr;
 	}

-	if (unlikely(*addr + size >= bios->size)) {
+	if (unlikely(*addr + size > bios->size)) {
 		nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
 		return false;
 	}
-- 
2.30.2

WARNING: multiple messages have this Message-ID (diff)

From: Nick Lopez <github@glowingmonkey.org>
To: nouveau@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: Nick Lopez <github@glowingmonkey.org>
Subject: [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
Date: Sat, 22 Jan 2022 01:19:06 -0700	[thread overview]
Message-ID: <20220122081906.2633061-1-github@glowingmonkey.org> (raw)

Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.

This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provides by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accesseed.

Signed-off-by: Nick Lopez <github@glowingmonkey.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
index d0f52d59fc2f..64e423dddd9e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
 		*addr += bios->imaged_addr;
 	}

-	if (unlikely(*addr + size >= bios->size)) {
+	if (unlikely(*addr + size > bios->size)) {
 		nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
 		return false;
 	}
-- 
2.30.2

next             reply	other threads:[~2022-01-23  0:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-22  8:19 Nick Lopez [this message]
2022-01-22  8:19 ` [PATCH] drm/nouveau: fix off by one in BIOS boundry checking Nick Lopez
2022-01-24 17:06 ` [Nouveau] " Karol Herbst
2022-01-24 17:06   ` Karol Herbst

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d0f52d59fc2 dfblob:64e423dddd9 dfblob:d0f52d59fc2
dfblob:64e423dddd9 )
 OR (
bs:"[PATCH] drm/nouveau: fix off by one in BIOS boundry checking" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220122081906.2633061-1-github@glowingmonkey.org \
    --to=github@glowingmonkey.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=nouveau@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.