Commit cd86529e authored May 04, 2026 by Harry Wentland Committed by Alex Deucher May 19, 2026

drm/amd/display: Fix integer overflow in bios_get_image()



[Why&How]
The bounds check in bios_get_image() computes 'offset + size' using
unsigned 32-bit arithmetic before comparing against bios_size. If a
VBIOS image contains a near-UINT32_MAX offset the addition wraps to a
small value, the comparison passes, and the function returns a wild
pointer past the VBIOS mapping.

Additionally, the comparison uses '<' (strict), which incorrectly
rejects the valid exact-fit case where offset + size == bios_size.

Fix both issues by restructuring the check to avoid the addition
entirely: first reject if offset alone exceeds bios_size, then check
size against the remaining space (bios_size - offset). This eliminates
the overflow and correctly permits exact-fit accesses.

Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d40fb392af659c4a02b560319f226842f6ec1a95)
Cc: stable@vger.kernel.org

parent 6dc2c49a

drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c

+6 −3

Original line number	Diff line number	Diff line
		@@ -37,10 +37,13 @@ uint8_t bios_get_image(struct dc_bios bp,
		uint32_t offset,
		uint32_t size)
		{
		if (bp->bios && offset + size < bp->bios_size)
		return bp->bios + offset;
		else
		if (!bp->bios)
		return NULL;

		if (offset > bp->bios_size \|\| size > bp->bios_size - offset)
		return NULL;

		return bp->bios + offset;
		}

		#include "reg_helper.h"