drm/nouveau/bios/bitP: check that table is long enough for optional pointers
authorBen Skeggs <bskeggs@redhat.com>
Mon, 10 Apr 2017 22:25:22 +0000 (08:25 +1000)
committerBen Skeggs <bskeggs@redhat.com>
Sat, 29 Apr 2017 12:39:23 +0000 (22:39 +1000)
Fixes OOB VBIOS accesses on some boards.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c
drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c
drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c
drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c

index eaf74eb7298386ec0d41cc96dada6b7f774b4d4d..8ab896dd4e926a28da6a7185254a022312222638 100644 (file)
@@ -33,7 +33,7 @@ nvbios_boostTe(struct nvkm_bios *bios,
        u32 boost = 0;
 
        if (!bit_entry(bios, 'P', &bit_P)) {
-               if (bit_P.version == 2)
+               if (bit_P.version == 2 && bit_P.length >= 0x34)
                        boost = nvbios_rd32(bios, bit_P.offset + 0x30);
 
                if (boost) {
index 5063382d8a6c5f988deec4d6dd5474bcc4cbde3d..7c8c36054f71d5d12327ce957b98469973e1b471 100644 (file)
@@ -33,7 +33,7 @@ nvbios_cstepTe(struct nvkm_bios *bios,
        u32 cstep = 0;
 
        if (!bit_entry(bios, 'P', &bit_P)) {
-               if (bit_P.version == 2)
+               if (bit_P.version == 2 && bit_P.length >= 0x38)
                        cstep = nvbios_rd32(bios, bit_P.offset + 0x34);
 
                if (cstep) {
index 456f9ea920dcf83478e0e9f25518cc887fc78fc4..0dfb15a27e4ef83f29b4dc3f43c279088dab9cf2 100644 (file)
@@ -32,7 +32,7 @@ nvbios_fan_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt, u8 *len)
        u32 fan = 0;
 
        if (!bit_entry(bios, 'P', &bit_P)) {
-               if (bit_P.version == 2 && bit_P.length >= 0x5a)
+               if (bit_P.version == 2 && bit_P.length >= 0x5c)
                        fan = nvbios_rd32(bios, bit_P.offset + 0x58);
 
                if (fan) {
index 617bfffce4ad5e1dd35ac8259d7b23552ca55a04..03d2f970a29ff23096a1cef960d46db320abf6cd 100644 (file)
@@ -33,7 +33,7 @@ nvbios_power_budget_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt,
        u32 power_budget;
 
        if (bit_entry(bios, 'P', &bit_P) || bit_P.version != 2 ||
-           bit_P.length < 0x2c)
+           bit_P.length < 0x30)
                return 0;
 
        power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c);
index f199270163d2c17aa938c3fc0792de2813f3d89c..20b6fc8243e0aa1a9d3e8b9228c952617e908745 100644 (file)
@@ -31,7 +31,7 @@ nvbios_vpstate_offset(struct nvkm_bios *b)
        struct bit_entry bit_P;
 
        if (!bit_entry(b, 'P', &bit_P)) {
-               if (bit_P.version == 2)
+               if (bit_P.version == 2 && bit_P.length >= 0x3c)
                        return nvbios_rd32(b, bit_P.offset + 0x38);
        }