From: "Kumar, Shobhit" <shobhit.kumar@intel.com>
To: Rodrigo Vivi <rodrigo.vivi@gmail.com>, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 06/14] drm/i915: Validate VBT header before trusting it
Date: Thu, 24 Apr 2014 21:22:23 +0530 [thread overview]
Message-ID: <53593337.2060709@intel.com> (raw)
In-Reply-To: <1397855070-4480-7-git-send-email-rodrigo.vivi@gmail.com>
On 4/19/2014 2:34 AM, Rodrigo Vivi wrote:
> From: Chris Wilson <chris@chris-wilson.co.uk>
>
> Be we read and chase pointers from the VBT, it is prudent to make sure
> that those accesses are wholly contained within the MMIO region, or else
> we may cause a kernel panic during boot.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
> ---
> drivers/gpu/drm/i915/intel_bios.c | 68 ++++++++++++++++++++++++++++-----------
> 1 file changed, 50 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> index fba9efd..fc9e806 100644
> --- a/drivers/gpu/drm/i915/intel_bios.c
> +++ b/drivers/gpu/drm/i915/intel_bios.c
> @@ -1099,6 +1099,46 @@ static const struct dmi_system_id intel_no_opregion_vbt[] = {
> { }
> };
>
> +static struct bdb_header *validate_vbt(char *base, size_t size,
> + struct vbt_header *vbt,
> + const char *source)
> +{
> + size_t offset;
> + struct bdb_header *bdb;
> +
> + if (vbt == NULL) {
> + DRM_DEBUG_DRIVER("VBT signature missing\n");
> + return NULL;
> + }
> +
> + offset = (char *)vbt - base;
> + if (offset + sizeof(struct vbt_header) > size) {
> + DRM_DEBUG_DRIVER("VBT header incomplete\n");
> + return NULL;
> + }
> +
> + if (memcmp(vbt->signature, "$VBT", 4)) {
> + DRM_DEBUG_DRIVER("VBT invalid signature\n");
> + return NULL;
> + }
> +
> + offset += vbt->bdb_offset;
> + if (offset + sizeof(struct bdb_header) > size) {
> + DRM_DEBUG_DRIVER("BDB header incomplete\n");
> + return NULL;
> + }
> +
> + bdb = (struct bdb_header *)(base + offset);
> + if (offset + bdb->bdb_size > size) {
> + DRM_DEBUG_DRIVER("BDB incomplete\n");
> + return NULL;
> + }
I know that BDB version check is really not enough and VBT should be
forward compatible, but it would be good to have a version check in
driver for the current BDB version the parser supports as well.
Strictly speaking if we put this check we should ideally reject any
newer versions, but putting an error log indicating mismatch might be a
good idea for debug.
Regards
Shobhit
next prev parent reply other threads:[~2014-04-24 15:52 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-18 21:04 [PATCH 00/14] drm-intel-collector - update Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 01/14] drm/i915: Bring UP Power Wells before disabling RC6 Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 02/14] drm/i915: Add support for stealing purgable stolen pages Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 03/14] drm/i915: Do not allow a pending forcewake put to unbalance across reset Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 04/14] drm/i915: Don't save/restore RS when not used Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 05/14] drm/i915: add support for Z-order of planes Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 06/14] drm/i915: Validate VBT header before trusting it Rodrigo Vivi
2014-04-24 15:52 ` Kumar, Shobhit [this message]
2014-04-25 8:02 ` Daniel Vetter
2014-04-25 8:24 ` Kumar, Shobhit
2014-04-25 9:12 ` Daniel Vetter
2014-04-25 9:28 ` Chris Wilson
2014-04-25 11:24 ` Kumar, Shobhit
2014-04-18 21:04 ` [PATCH 07/14] drm/i915: Validate BDB section before reading Rodrigo Vivi
2014-04-24 15:53 ` Kumar, Shobhit
2014-04-25 8:03 ` Daniel Vetter
2014-04-18 21:04 ` [PATCH 08/14] drm/i915: Upgrade execbuffer fail after resume failure to EIO Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 09/14] drm/i915: Add property to set HDMI aspect ratio Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 10/14] drm/i915: Prevent context obj from being corrupted Rodrigo Vivi
2014-04-18 21:04 ` [PATCH 11/14] drm/i915/bdw: Add WT caching ability Rodrigo Vivi
2014-04-28 16:19 ` Volkin, Bradley D
2014-04-18 21:04 ` [PATCH 12/14] drm/i915/bdw: enable eDRAM Rodrigo Vivi
2014-04-28 16:27 ` Volkin, Bradley D
2014-04-18 21:04 ` [PATCH 13/14] drm/i915/bdw: Disable idle DOP clock gating Rodrigo Vivi
2014-04-28 16:37 ` Volkin, Bradley D
2014-04-29 8:50 ` Daniel Vetter
2014-04-18 21:04 ` [PATCH 14/14] drm/i915: honour forced connector modes Rodrigo Vivi
2014-04-25 9:04 ` [PATCH 00/14] drm-intel-collector - update Daniel Vetter
2014-04-25 9:24 ` Chris Wilson
2014-04-25 10:07 ` Daniel Vetter
2014-04-25 10:19 ` Chris Wilson
2014-04-25 10:31 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53593337.2060709@intel.com \
--to=shobhit.kumar@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=rodrigo.vivi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox