From: Jani Nikula <jani.nikula@linux.intel.com>
To: Lucas De Marchi <lucas.demarchi@intel.com>,
intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 3/4] drm/i915/bios: make sure to check vbt size
Date: Fri, 08 Nov 2019 12:08:52 +0200 [thread overview]
Message-ID: <87h83e65or.fsf@intel.com> (raw)
In-Reply-To: <20191108003602.33526-3-lucas.demarchi@intel.com>
On Thu, 07 Nov 2019, Lucas De Marchi <lucas.demarchi@intel.com> wrote:
> When we call intel_bios_is_valid_vbt(), size may not actually be the
> size of the VBT, but rather the size of the blob the VBT is contained
> in. For example, when mapping the PCI oprom, size will be the entire
> oprom size. We don't want to read beyond what is reported to be the
> VBT. So make sure we vbt->vbt_size makes sense and use that for
> the latter checks.
>
> Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
> ---
> drivers/gpu/drm/i915/display/intel_bios.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index 1f83616cfc32..671bbce6ba5b 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -1777,11 +1777,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size)
> if (!vbt)
> return false;
>
> - if (sizeof(struct vbt_header) > size) {
> + if (sizeof(struct vbt_header) > size || vbt->vbt_size > size) {
> DRM_DEBUG_DRIVER("VBT header incomplete\n");
Nitpick #1, semantically you should check the VBT signature before you
know ->vbt_size might make sense.
Nitpick #2, the debug message becomes increasingly non-informative. But
basically most messages in this function are less than stellar.
In any case, the goal is sane,
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
> return false;
> }
>
> + size = vbt->vbt_size;
> +
> if (memcmp(vbt->signature, "$VBT", 4)) {
> DRM_DEBUG_DRIVER("VBT invalid signature\n");
> return false;
--
Jani Nikula, Intel Open Source Graphics Center
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Jani Nikula <jani.nikula@linux.intel.com>
To: Lucas De Marchi <lucas.demarchi@intel.com>,
intel-gfx@lists.freedesktop.org
Subject: Re: [Intel-gfx] [PATCH 3/4] drm/i915/bios: make sure to check vbt size
Date: Fri, 08 Nov 2019 12:08:52 +0200 [thread overview]
Message-ID: <87h83e65or.fsf@intel.com> (raw)
Message-ID: <20191108100852.pXlZOlSmyqcWZeykj-P3UQQm7NX4ZaKHheKDu_OO3eA@z> (raw)
In-Reply-To: <20191108003602.33526-3-lucas.demarchi@intel.com>
On Thu, 07 Nov 2019, Lucas De Marchi <lucas.demarchi@intel.com> wrote:
> When we call intel_bios_is_valid_vbt(), size may not actually be the
> size of the VBT, but rather the size of the blob the VBT is contained
> in. For example, when mapping the PCI oprom, size will be the entire
> oprom size. We don't want to read beyond what is reported to be the
> VBT. So make sure we vbt->vbt_size makes sense and use that for
> the latter checks.
>
> Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
> ---
> drivers/gpu/drm/i915/display/intel_bios.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index 1f83616cfc32..671bbce6ba5b 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -1777,11 +1777,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size)
> if (!vbt)
> return false;
>
> - if (sizeof(struct vbt_header) > size) {
> + if (sizeof(struct vbt_header) > size || vbt->vbt_size > size) {
> DRM_DEBUG_DRIVER("VBT header incomplete\n");
Nitpick #1, semantically you should check the VBT signature before you
know ->vbt_size might make sense.
Nitpick #2, the debug message becomes increasingly non-informative. But
basically most messages in this function are less than stellar.
In any case, the goal is sane,
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
> return false;
> }
>
> + size = vbt->vbt_size;
> +
> if (memcmp(vbt->signature, "$VBT", 4)) {
> DRM_DEBUG_DRIVER("VBT invalid signature\n");
> return false;
--
Jani Nikula, Intel Open Source Graphics Center
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2019-11-08 10:08 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-08 0:35 [PATCH 1/4] drm/i915/opregion: fix leaking fw on error path Lucas De Marchi
2019-11-08 0:35 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 0:36 ` [PATCH 2/4] drm/i915/bios: rename bios to oprom when mapping pci rom Lucas De Marchi
2019-11-08 0:36 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 10:01 ` Jani Nikula
2019-11-08 10:01 ` [Intel-gfx] " Jani Nikula
2019-11-08 0:36 ` [PATCH 3/4] drm/i915/bios: make sure to check vbt size Lucas De Marchi
2019-11-08 0:36 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 10:08 ` Jani Nikula [this message]
2019-11-08 10:08 ` Jani Nikula
2019-11-08 17:41 ` Lucas De Marchi
2019-11-08 17:41 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 0:36 ` [PATCH 4/4] drm/i915/bios: do not discard address space Lucas De Marchi
2019-11-08 0:36 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 11:14 ` Jani Nikula
2019-11-08 11:14 ` [Intel-gfx] " Jani Nikula
2019-11-08 18:18 ` Lucas De Marchi
2019-11-08 18:18 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 19:19 ` Ville Syrjälä
2019-11-08 19:19 ` [Intel-gfx] " Ville Syrjälä
2019-11-08 20:14 ` Lucas De Marchi
2019-11-08 20:14 ` [Intel-gfx] " Lucas De Marchi
2019-11-08 21:02 ` Ville Syrjälä
2019-11-08 21:02 ` [Intel-gfx] " Ville Syrjälä
2019-11-08 21:09 ` Lucas De Marchi
2019-11-08 21:09 ` [Intel-gfx] " Lucas De Marchi
2019-11-11 11:10 ` Jani Nikula
2019-11-11 11:10 ` [Intel-gfx] " Jani Nikula
2019-11-10 16:57 ` kbuild test robot
2019-11-10 16:57 ` [Intel-gfx] " kbuild test robot
2019-11-10 16:57 ` kbuild test robot
2019-11-10 16:57 ` [RFC PATCH] drm/i915/bios: find_vbt() can be static kbuild test robot
2019-11-10 16:57 ` kbuild test robot
2019-11-10 16:57 ` [Intel-gfx] " kbuild test robot
2019-11-08 1:53 ` ✗ Fi.CI.SPARSE: warning for series starting with [1/4] drm/i915/opregion: fix leaking fw on error path Patchwork
2019-11-08 1:53 ` [Intel-gfx] " Patchwork
2019-11-08 2:18 ` ✓ Fi.CI.BAT: success " Patchwork
2019-11-08 2:18 ` [Intel-gfx] " Patchwork
2019-11-08 9:16 ` [PATCH 1/4] " Jani Nikula
2019-11-08 9:16 ` [Intel-gfx] " Jani Nikula
2019-11-08 17:34 ` Lucas De Marchi
2019-11-08 17:34 ` [Intel-gfx] " Lucas De Marchi
2019-11-09 13:23 ` ✓ Fi.CI.IGT: success for series starting with [1/4] " Patchwork
2019-11-09 13:23 ` [Intel-gfx] " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h83e65or.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.