[radeon] connector_info_from_object_table
Amol
suratiamol at gmail.com
Fri Nov 19 09:51:17 UTC 2021
On 19/11/2021, Alex Deucher <alexdeucher at gmail.com> wrote:
> On Thu, Nov 18, 2021 at 11:37 AM Amol <suratiamol at gmail.com> wrote:
>>
>> Hello,
>>
>> The function radeon_get_atom_connector_info_from_object_table,
>> at location [1], ends up parsing ATOM_COMMON_TABLE_HEADER
>> as ATOM_COMMON_RECORD_HEADER if
>> enc_obj->asObjects[k].usRecordOffset is zero. It is found to be zero
>> in the BIOS found at [2].
>>
>> Thankfully, the loop that follows exits immediately since ucRecordSize
>> is 0 because
>> (ATOM_COMMON_TABLE_HEADER.usStructureSize & 0xff00) is zero.
>> But, with suitable values in the usStructureSize, the loop can be made to
>> run and parse garbage.
>>
>> A similar loop exists when parsing the conn objects.
>
> Can you send a patch to make it more robust?
Sent on a separate email.
Thanks,
Amol
>
> Thanks,
>
> Alex
>
>>
>> -Amol
>>
>> [1]
>> https://github.com/torvalds/linux/blob/master/drivers/gpu/drm/radeon/radeon_atombios.c#L652
>> [2] https://www.techpowerup.com/vgabios/211981/211981
>
More information about the amd-gfx
mailing list