[PATCH] drm/nouveau: fix off by one in BIOS boundry checking

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
@ 2022-01-22  8:19 ` Nick Lopez
  0 siblings, 0 replies; 4+ messages in thread
From: Nick Lopez @ 2022-01-22  8:19 UTC (permalink / raw)
  To: nouveau, dri-devel; +Cc: Nick Lopez

Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.

This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provides by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accesseed.

Signed-off-by: Nick Lopez <github@glowingmonkey.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
index d0f52d59fc2f..64e423dddd9e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
 		*addr += bios->imaged_addr;
 	}

-	if (unlikely(*addr + size >= bios->size)) {
+	if (unlikely(*addr + size > bios->size)) {
 		nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
 		return false;
 	}
-- 
2.30.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Nouveau] [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
@ 2022-01-22  8:19 ` Nick Lopez
  0 siblings, 0 replies; 4+ messages in thread
From: Nick Lopez @ 2022-01-22  8:19 UTC (permalink / raw)
  To: nouveau, dri-devel; +Cc: Nick Lopez

Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.

This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provides by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accesseed.

Signed-off-by: Nick Lopez <github@glowingmonkey.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
index d0f52d59fc2f..64e423dddd9e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
 		*addr += bios->imaged_addr;
 	}

-	if (unlikely(*addr + size >= bios->size)) {
+	if (unlikely(*addr + size > bios->size)) {
 		nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
 		return false;
 	}
-- 
2.30.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Nouveau] [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
  2022-01-22  8:19 ` [Nouveau] " Nick Lopez
@ 2022-01-24 17:06   ` Karol Herbst
  -1 siblings, 0 replies; 4+ messages in thread
From: Karol Herbst @ 2022-01-24 17:06 UTC (permalink / raw)
  To: Nick Lopez; +Cc: nouveau, dri-devel

On Sat, Jan 22, 2022 at 11:44 AM Nick Lopez <github@glowingmonkey.org> wrote:
>
> Bounds checking when parsing init scripts embedded in the BIOS reject
> access to the last byte. This causes driver initialization to fail on
> Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
> console.
>
> This is probably only seen on OpenFirmware machines like PowerPC Macs
> because the BIOS image provides by OF is only the used parts of the ROM,
> not a power-of-two blocks read from PCI directly so PCs always have
> empty bytes at the end that are never accesseed.
>

small typo nitpicks: provided and accessed

Also, I think it makes sense to add

Fixes: 4d4e9907ff572 "drm/nouveau/bios: guard against out-of-bounds
accesses to image"
Cc: <stable@vger.kernel.org> # v4.10+

so it gets automatically backported to applicable stable kernels

Anyway, whoever picks the patch can make those adjustments as well.

Reviewed-by: Karol Herbst <kherbst@redhat.com>


> Signed-off-by: Nick Lopez <github@glowingmonkey.org>
> ---
>  drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> index d0f52d59fc2f..64e423dddd9e 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> @@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
>                 *addr += bios->imaged_addr;
>         }
>
> -       if (unlikely(*addr + size >= bios->size)) {
> +       if (unlikely(*addr + size > bios->size)) {
>                 nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
>                 return false;
>         }
> --
> 2.30.2
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] drm/nouveau: fix off by one in BIOS boundry checking
@ 2022-01-24 17:06   ` Karol Herbst
  0 siblings, 0 replies; 4+ messages in thread
From: Karol Herbst @ 2022-01-24 17:06 UTC (permalink / raw)
  To: Nick Lopez; +Cc: nouveau, dri-devel

On Sat, Jan 22, 2022 at 11:44 AM Nick Lopez <github@glowingmonkey.org> wrote:
>
> Bounds checking when parsing init scripts embedded in the BIOS reject
> access to the last byte. This causes driver initialization to fail on
> Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
> console.
>
> This is probably only seen on OpenFirmware machines like PowerPC Macs
> because the BIOS image provides by OF is only the used parts of the ROM,
> not a power-of-two blocks read from PCI directly so PCs always have
> empty bytes at the end that are never accesseed.
>

small typo nitpicks: provided and accessed

Also, I think it makes sense to add

Fixes: 4d4e9907ff572 "drm/nouveau/bios: guard against out-of-bounds
accesses to image"
Cc: <stable@vger.kernel.org> # v4.10+

so it gets automatically backported to applicable stable kernels

Anyway, whoever picks the patch can make those adjustments as well.

Reviewed-by: Karol Herbst <kherbst@redhat.com>


> Signed-off-by: Nick Lopez <github@glowingmonkey.org>
> ---
>  drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> index d0f52d59fc2f..64e423dddd9e 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
> @@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
>                 *addr += bios->imaged_addr;
>         }
>
> -       if (unlikely(*addr + size >= bios->size)) {
> +       if (unlikely(*addr + size > bios->size)) {
>                 nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
>                 return false;
>         }
> --
> 2.30.2
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-01-24 17:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-22  8:19 [PATCH] drm/nouveau: fix off by one in BIOS boundry checking Nick Lopez
2022-01-22  8:19 ` [Nouveau] " Nick Lopez
2022-01-24 17:06 ` Karol Herbst
2022-01-24 17:06   ` Karol Herbst

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.