[Intel-gfx] [PATCH 3/4] drm/i915/bios: make sure to check vbt size

Lucas De Marchi lucas.demarchi at intel.com
Fri Nov 8 00:36:01 UTC 2019


When we call intel_bios_is_valid_vbt(), size may not actually be the
size of the VBT, but rather the size of the blob the VBT is contained
in. For example, when mapping the PCI oprom, size will be the entire
oprom size. We don't want to read beyond what is reported to be the
VBT. So make sure we vbt->vbt_size makes sense and use that for
the latter checks.

Signed-off-by: Lucas De Marchi <lucas.demarchi at intel.com>
---
 drivers/gpu/drm/i915/display/intel_bios.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index 1f83616cfc32..671bbce6ba5b 100644
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -1777,11 +1777,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size)
 	if (!vbt)
 		return false;
 
-	if (sizeof(struct vbt_header) > size) {
+	if (sizeof(struct vbt_header) > size || vbt->vbt_size > size) {
 		DRM_DEBUG_DRIVER("VBT header incomplete\n");
 		return false;
 	}
 
+	size = vbt->vbt_size;
+
 	if (memcmp(vbt->signature, "$VBT", 4)) {
 		DRM_DEBUG_DRIVER("VBT invalid signature\n");
 		return false;
-- 
2.23.0



More information about the Intel-gfx mailing list