Commit 86d2b206 authored by Harry Wentland's avatar Harry Wentland Committed by Alex Deucher
Browse files

drm/amd/display: Validate GPIO pin LUT table size before iterating 



[Why&How]
The GPIO pin table parsers in get_gpio_i2c_info() and
bios_parser_get_gpio_pin_info() derive an element count from the VBIOS
table_header.structuresize field, then iterate over gpio_pin[] entries.
However, GET_IMAGE() only validates that the table header itself fits
within the BIOS image. If the VBIOS reports a structuresize larger than
the actual mapped data, the loop reads past the end of the BIOS image,
causing an out-of-bounds read.

Fix this by calling bios_get_image() to validate that the full claimed
structuresize is accessible within the BIOS image before entering the
loop in both functions.

Assisted-by: GitHub Copilot:claude-opus-4-6
Reviewed-by: default avatarAlex Hung <alex.hung@amd.com>
Signed-off-by: default avatarHarry Wentland <harry.wentland@amd.com>
Signed-off-by: default avatarIvan Lipski <ivan.lipski@amd.com>
Tested-by: default avatarDan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba5e95b43b773ae1bf1f66ee6b31eb774e65afe3)
Cc: stable@vger.kernel.org
parent cd86529e

drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c

+9 −0
Original line number Diff line number Diff line
@@ -493,6 +493,10 @@ static enum bp_result get_gpio_i2c_info( 
			- sizeof(struct atom_common_table_header))

				/ sizeof(struct atom_gpio_pin_assignment);



	if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),

			    le16_to_cpu(header->table_header.structuresize)))

		return BP_RESULT_BADBIOSTABLE;



	pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;



	for (table_index = 0; table_index < count; table_index++) {
@@ -681,6 +685,11 @@ static enum bp_result bios_parser_get_gpio_pin_info( 
	count = (le16_to_cpu(header->table_header.structuresize)

			- sizeof(struct atom_common_table_header))

				/ sizeof(struct atom_gpio_pin_assignment);



	if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),

			    le16_to_cpu(header->table_header.structuresize)))

		return BP_RESULT_BADBIOSTABLE;



	for (i = 0; i < count; ++i) {

		if (header->gpio_pin[i].gpio_id != gpio_id)

			continue;