From: Jani Nikula <jani.nikula@linux.intel.com>
To: Naveed Khan <naveed@digiscrypt.com>, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/edid: check DisplayID tiled block length before parsing
Date: Wed, 24 Jun 2026 11:05:59 +0300 [thread overview]
Message-ID: <3bf6abb4dfd22771b3774f22a4be9b7f647668fe@intel.com> (raw)
In-Reply-To: <178223524141.58041.12138826976759023373@digiscrypt.com>
On Tue, 23 Jun 2026, Naveed Khan <naveed@digiscrypt.com> wrote:
> drm_parse_tiled_block() casts the generic DisplayID data block to
> struct displayid_tiled_block and unconditionally reads the whole
> fixed-size structure (tile_cap, topo[3], tile_size[4],
> tile_pixel_bezel[5] and the 8-byte topology_id), but it never looks at
> block->num_bytes.
>
> The DisplayID iterator in displayid_iter_block() only guarantees that the
> block's *declared* length, sizeof(struct displayid_block) + num_bytes,
> fits inside the section. A DisplayID extension that declares a tiled
> display block (tag DATA_BLOCK_TILED_DISPLAY) with a num_bytes smaller than
> the structure payload is therefore happily handed to the parser, which
> then reads past the declared block. When such a block is placed near the
> end of the last DisplayID EDID extension, the over-read runs past the end
> of the EDID allocation - an out-of-bounds read controlled entirely by the
> contents of the EDID.
>
> Reject tiled blocks that are too short to hold the structure, mirroring
> the size check already done for the VESA vendor block in
> drm_parse_vesa_mso_data().
Already fixed by commit faaa1e115583 ("drm/edid: fix OOB read in
drm_parse_tiled_block()").
BR,
Jani.
>
> Signed-off-by: Naveed Khan <naveed@digiscrypt.com>
> ---
> diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
> index 404208bf23..b4298012eb 100644
> --- a/drivers/gpu/drm/drm_edid.c
> +++ b/drivers/gpu/drm/drm_edid.c
> @@ -7575,6 +7575,13 @@ static void drm_parse_tiled_block(struct drm_connector *connector,
> u8 num_v_tile, num_h_tile;
> struct drm_tile_group *tg;
>
> + if (block->num_bytes < sizeof(*tile) - sizeof(*block)) {
> + drm_dbg_kms(connector->dev,
> + "[CONNECTOR:%d:%s] Invalid tiled display block size %u\n",
> + connector->base.id, connector->name, block->num_bytes);
> + return;
> + }
> +
> w = tile->tile_size[0] | tile->tile_size[1] << 8;
> h = tile->tile_size[2] | tile->tile_size[3] << 8;
--
Jani Nikula, Intel
prev parent reply other threads:[~2026-06-24 8:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 17:20 [PATCH] drm/edid: check DisplayID tiled block length before parsing Naveed Khan
2026-06-24 8:05 ` Jani Nikula [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3bf6abb4dfd22771b3774f22a4be9b7f647668fe@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=naveed@digiscrypt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.