From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Vetter <daniel@ffwll.ch>
Subject: Re: [PATCH 07/14] drm/i915: Validate BDB section before
 reading
Date: Fri, 25 Apr 2014 10:03:28 +0200
Message-ID: <20140425080328.GL26374@phenom.ffwll.local>
References: <1397855070-4480-1-git-send-email-rodrigo.vivi@gmail.com>
 <1397855070-4480-8-git-send-email-rodrigo.vivi@gmail.com>
 <53593374.9080003@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mail-ee0-f47.google.com (mail-ee0-f47.google.com [74.125.83.47])
 by gabe.freedesktop.org (Postfix) with ESMTP id A713BA544
 for <intel-gfx@lists.freedesktop.org>; Fri, 25 Apr 2014 01:03:32 -0700 (PDT)
Received: by mail-ee0-f47.google.com with SMTP id b15so2541372eek.34
 for <intel-gfx@lists.freedesktop.org>; Fri, 25 Apr 2014 01:03:31 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <53593374.9080003@intel.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
To: "Kumar, Shobhit" <shobhit.kumar@intel.com>
Cc: intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Thu, Apr 24, 2014 at 09:23:24PM +0530, Kumar, Shobhit wrote:
> On 4/19/2014 2:34 AM, Rodrigo Vivi wrote:
> >From: Chris Wilson <chris@chris-wilson.co.uk>
> >
> >Make sure that the whole BDB section is within the MMIO region prior to
> >accessing it contents. That we don't read outside of the secion is left
> >up to the individual section parsers.
> >
> >Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> >Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
> >---
> >  drivers/gpu/drm/i915/intel_bios.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> >
> >diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> >index fc9e806..2945f57 100644
> >--- a/drivers/gpu/drm/i915/intel_bios.c
> >+++ b/drivers/gpu/drm/i915/intel_bios.c
> >@@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id)
> >  	total = bdb->bdb_size;
> >
> >  	/* walk the sections looking for section_id */
> >-	while (index < total) {
> >+	while (index + 3 < total) {
> >  		current_id = *(base + index);
> >  		index++;
> >+
> >  		current_size = *((u16 *)(base + index));
> >  		index += 2;
> >+
> >+		if (index + current_size > total)
> >+			return NULL;
> >+
> >  		if (current_id == section_id)
> >  			return base + index;
> >+
> >  		index += current_size;
> >  	}
> >
> 
> Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com>

Queued for -next, thanks for the patch.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch