drm/i915: Validate BDB section before reading

Make sure that the whole BDB section is within the MMIO region prior to accessing it contents. That we don't read outside of the secion is left up to the individual section parsers. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com> Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

drm/i915: Validate BDB section before reading
Make sure that the whole BDB section is within the MMIO region prior to accessing it contents. That we don't read outside of the secion is left up to the individual section parsers. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com> Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
d1f13fd2 · Chris Wilson · Daniel Vetter · c6df39b5 · d1f13fd2
Commit d1f13fd2 authored Apr 18, 2014 by Chris Wilson Committed by Daniel Vetter May 05, 2014
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

drivers/gpu/drm/i915/intel_bios.c drivers/gpu/drm/i915/intel_bios.c +7 -1

No files found.
--- a/drivers/gpu/drm/i915/intel_bios.c
+++ b/drivers/gpu/drm/i915/intel_bios.c
@@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id)
 	total = bdb->bdb_size;
 	/* walk the sections looking for section_id */
-	while (index < total) {
+	while (index + 3 < total) {
 		current_id = *(base + index);
 		index++;
 		current_size = *((u16 *)(base + index));
 		index += 2;
+		if (index + current_size > total)
+			return NULL;
 		if (current_id == section_id)
 			return base + index;
 		index += current_size;
 	}