From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kumar, Shobhit" <shobhit.kumar@intel.com>
Subject: Re: [PATCH 06/14] drm/i915: Validate VBT header before
 trusting it
Date: Thu, 24 Apr 2014 21:22:23 +0530
Message-ID: <53593337.2060709@intel.com>
References: <1397855070-4480-1-git-send-email-rodrigo.vivi@gmail.com>
 <1397855070-4480-7-git-send-email-rodrigo.vivi@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by gabe.freedesktop.org (Postfix) with ESMTP id 6617E6ECDD
 for <intel-gfx@lists.freedesktop.org>; Thu, 24 Apr 2014 08:52:29 -0700 (PDT)
In-Reply-To: <1397855070-4480-7-git-send-email-rodrigo.vivi@gmail.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
To: Rodrigo Vivi <rodrigo.vivi@gmail.com>, intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On 4/19/2014 2:34 AM, Rodrigo Vivi wrote:
> From: Chris Wilson <chris@chris-wilson.co.uk>
>
> Be we read and chase pointers from the VBT, it is prudent to make sure
> that those accesses are wholly contained within the MMIO region, or else
> we may cause a kernel panic during boot.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
> ---
>   drivers/gpu/drm/i915/intel_bios.c | 68 ++++++++++++++++++++++++++++-----------
>   1 file changed, 50 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> index fba9efd..fc9e806 100644
> --- a/drivers/gpu/drm/i915/intel_bios.c
> +++ b/drivers/gpu/drm/i915/intel_bios.c
> @@ -1099,6 +1099,46 @@ static const struct dmi_system_id intel_no_opregion_vbt[] = {
>   	{ }
>   };
>
> +static struct bdb_header *validate_vbt(char *base, size_t size,
> +				       struct vbt_header *vbt,
> +				       const char *source)
> +{
> +	size_t offset;
> +	struct bdb_header *bdb;
> +
> +	if (vbt == NULL) {
> +		DRM_DEBUG_DRIVER("VBT signature missing\n");
> +		return NULL;
> +	}
> +
> +	offset = (char *)vbt - base;
> +	if (offset + sizeof(struct vbt_header) > size) {
> +		DRM_DEBUG_DRIVER("VBT header incomplete\n");
> +		return NULL;
> +	}
> +
> +	if (memcmp(vbt->signature, "$VBT", 4)) {
> +		DRM_DEBUG_DRIVER("VBT invalid signature\n");
> +		return NULL;
> +	}
> +
> +	offset += vbt->bdb_offset;
> +	if (offset + sizeof(struct bdb_header) > size) {
> +		DRM_DEBUG_DRIVER("BDB header incomplete\n");
> +		return NULL;
> +	}
> +
> +	bdb = (struct bdb_header *)(base + offset);
> +	if (offset + bdb->bdb_size > size) {
> +		DRM_DEBUG_DRIVER("BDB incomplete\n");
> +		return NULL;
> +	}

I know that BDB version check is really not enough and VBT should be 
forward compatible, but it would be good to have a version check in 
driver for the current BDB version the parser supports as well. 
Strictly speaking if we  put this check we should ideally reject any 
newer versions, but putting an error log indicating mismatch might be a 
  good idea for debug.


Regards
Shobhit