From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nick Lopez <github@glowingmonkey.org>,
Ilia Mirkin <imirkin@alum.mit.edu>,
Karol Herbst <kherbst@redhat.com>
Subject: [PATCH 5.4 11/44] drm/nouveau: fix off by one in BIOS boundary checking
Date: Mon, 7 Feb 2022 12:06:27 +0100 [thread overview]
Message-ID: <20220207103753.522786437@linuxfoundation.org> (raw)
In-Reply-To: <20220207103753.155627314@linuxfoundation.org>
From: Nick Lopez <github@glowingmonkey.org>
commit 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a upstream.
Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.
This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provided by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accessed.
Signed-off-by: Nick Lopez <github@glowingmonkey.org>
Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image")
Cc: <stable@vger.kernel.org> # v4.10+
Reviewed-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220122081906.2633061-1-github@glowingmonkey.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32
*addr += bios->imaged_addr;
}
- if (unlikely(*addr + size >= bios->size)) {
+ if (unlikely(*addr + size > bios->size)) {
nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
return false;
}
next prev parent reply other threads:[~2022-02-07 11:35 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 11:06 [PATCH 5.4 00/44] 5.4.178-rc1 review Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 01/44] audit: improve audit queue handling when "audit=1" on cmdline Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 02/44] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 03/44] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 04/44] ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 05/44] ALSA: usb-audio: Simplify quirk entries with a macro Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 06/44] ALSA: hda/realtek: Add quirk for ASUS GU603 Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 07/44] ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 08/44] ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 09/44] ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 10/44] btrfs: fix deadlock between quota disable and qgroup rescan worker Greg Kroah-Hartman
2022-02-07 11:06 ` Greg Kroah-Hartman [this message]
2022-02-07 11:06 ` [PATCH 5.4 12/44] mm/kmemleak: avoid scanning potential huge holes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 13/44] block: bio-integrity: Advance seed correctly for larger interval sizes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 14/44] Revert "ASoC: mediatek: Check for error clk pointer" Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 15/44] memcg: charge fs_context and legacy_fs_context Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 16/44] IB/rdmavt: Validate remote_addr during loopback atomic tests Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 17/44] RDMA/siw: Fix broken RDMA Read Fence/Resume logic Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 18/44] RDMA/mlx4: Dont continue event handler after memory allocation failure Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 19/44] iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 20/44] iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 21/44] spi: bcm-qspi: check for valid cs before applying chip select Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 22/44] spi: mediatek: Avoid NULL pointer crash in interrupt Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 23/44] spi: meson-spicc: add IRQ check in meson_spicc_probe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 24/44] net: ieee802154: hwsim: Ensure proper channel selection at probe time Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 25/44] net: ieee802154: mcr20a: Fix lifs/sifs periods Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 26/44] net: ieee802154: ca8210: Stop leaking skbs Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 27/44] net: ieee802154: Return meaningful error codes from the netlink helpers Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 28/44] net: macsec: Verify that send_sci is on when setting Tx sci explicitly Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 29/44] net: stmmac: dump gmac4 DMA registers correctly Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 30/44] net: stmmac: ensure PTP time register reads are consistent Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 31/44] drm/i915/overlay: Prevent divide by zero bugs in scaling Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 32/44] ASoC: fsl: Add missing error handling in pcm030_fabric_probe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 33/44] ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 34/44] ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 35/44] ASoC: max9759: fix underflow in speaker_gain_control_put() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 36/44] pinctrl: bcm2835: Fix a few error paths Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 37/44] scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 38/44] nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 39/44] selftests: futex: Use variable MAKE instead of make Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 40/44] rtc: cmos: Evaluate century appropriate Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 41/44] EDAC/altera: Fix deferred probing Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 42/44] EDAC/xgene: " Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.4 43/44] ext4: fix error handling in ext4_restore_inline_data() Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.4 44/44] cgroup/cpuset: Fix "suspicious RCU usage" lockdep warning Greg Kroah-Hartman
2022-02-07 21:29 ` [PATCH 5.4 00/44] 5.4.178-rc1 review Shuah Khan
2022-02-07 23:27 ` Florian Fainelli
2022-02-08 1:47 ` Slade Watkins
2022-02-08 3:29 ` Guenter Roeck
2022-02-08 8:09 ` Naresh Kamboju
2022-02-08 8:30 ` Jon Hunter
2022-02-08 13:59 ` Sudip Mukherjee
2022-02-09 2:48 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220207103753.522786437@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=github@glowingmonkey.org \
--cc=imirkin@alum.mit.edu \
--cc=kherbst@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).