[radeon] connector_info_from_object_table
Amol
suratiamol at gmail.com
Thu Nov 18 16:37:21 UTC 2021
Hello,
The function radeon_get_atom_connector_info_from_object_table,
at location [1], ends up parsing ATOM_COMMON_TABLE_HEADER
as ATOM_COMMON_RECORD_HEADER if
enc_obj->asObjects[k].usRecordOffset is zero. It is found to be zero
in the BIOS found at [2].
Thankfully, the loop that follows exits immediately since ucRecordSize
is 0 because
(ATOM_COMMON_TABLE_HEADER.usStructureSize & 0xff00) is zero.
But, with suitable values in the usStructureSize, the loop can be made to
run and parse garbage.
A similar loop exists when parsing the conn objects.
-Amol
[1] https://github.com/torvalds/linux/blob/master/drivers/gpu/drm/radeon/radeon_atombios.c#L652
[2] https://www.techpowerup.com/vgabios/211981/211981
More information about the amd-gfx
mailing list