From: Lekensteyn <lekensteyn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
Ben Skeggs <bskeggs-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: [PATCH] drm/nouveau/bios: use size provided by _ROM method
Date: Sun, 21 Oct 2012 12:53:15 +0200 [thread overview]
Message-ID: <6085585.gbMWY34h3C@al> (raw)
From: Peter Wu <lekensteyn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Since commit "drm/nouveau/bios: attempt to fetch entire acpi rom image in one
shot", the ACPI spec is broken in order to gain speed. In theory, since the
_ROM method is supposed to return 4 KiB only, the returned buffer size could be
less than the requested length. This could lead to reading past the buffer
boundaries which could make worse thing happen. To fix that, do not read more
than the buffer contains. As an extra side-effect, the function returns the
bytes that have really been read which is more natural.
Signed-off-by: Peter Wu <lekensteyn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
drivers/gpu/drm/nouveau/nouveau_acpi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c
index 48783e1..368e45c 100644
--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
@@ -356,6 +356,7 @@ static int nouveau_rom_call(acpi_handle rom_handle, uint8_t *bios,
return -ENODEV;
}
obj = (union acpi_object *)buffer.pointer;
+ len = min(len, (int)obj->buffer.size);
memcpy(bios+offset, obj->buffer.pointer, len);
kfree(buffer.pointer);
return len;
--
1.7.9.5
next reply other threads:[~2012-10-21 10:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-21 10:53 Lekensteyn [this message]
2012-10-21 12:20 ` [PATCH] drm/nouveau/bios: use size provided by _ROM method Marcin Slusarz
[not found] ` <20121021122005.GB22587-OI9uyE9O0yo@public.gmane.org>
2012-10-21 12:53 ` Lekensteyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6085585.gbMWY34h3C@al \
--to=lekensteyn-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=bskeggs-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.