From a7cb78bab3671dbad08e5b2f5fd83a6dbda90fe5 Mon Sep 17 00:00:00 2001 From: Ben Skeggs Date: Tue, 11 Apr 2017 08:25:22 +1000 Subject: [PATCH] drm/nouveau/bios/bitP: check that table is long enough for optional pointers Fixes OOB VBIOS accesses on some boards. Signed-off-by: Ben Skeggs --- drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c index eaf74eb72983..8ab896dd4e92 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c @@ -33,7 +33,7 @@ nvbios_boostTe(struct nvkm_bios *bios, u32 boost = 0; if (!bit_entry(bios, 'P', &bit_P)) { - if (bit_P.version == 2) + if (bit_P.version == 2 && bit_P.length >= 0x34) boost = nvbios_rd32(bios, bit_P.offset + 0x30); if (boost) { diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c index 5063382d8a6c..7c8c36054f71 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c @@ -33,7 +33,7 @@ nvbios_cstepTe(struct nvkm_bios *bios, u32 cstep = 0; if (!bit_entry(bios, 'P', &bit_P)) { - if (bit_P.version == 2) + if (bit_P.version == 2 && bit_P.length >= 0x38) cstep = nvbios_rd32(bios, bit_P.offset + 0x34); if (cstep) { diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c index 456f9ea920dc..0dfb15a27e4e 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c @@ -32,7 +32,7 @@ nvbios_fan_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt, u8 *len) u32 fan = 0; if (!bit_entry(bios, 'P', &bit_P)) { - if (bit_P.version == 2 && bit_P.length >= 0x5a) + if (bit_P.version == 2 && bit_P.length >= 0x5c) fan = nvbios_rd32(bios, bit_P.offset + 0x58); if (fan) { diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c index 617bfffce4ad..03d2f970a29f 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c @@ -33,7 +33,7 @@ nvbios_power_budget_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt, u32 power_budget; if (bit_entry(bios, 'P', &bit_P) || bit_P.version != 2 || - bit_P.length < 0x2c) + bit_P.length < 0x30) return 0; power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c); diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c index f199270163d2..20b6fc8243e0 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c @@ -31,7 +31,7 @@ nvbios_vpstate_offset(struct nvkm_bios *b) struct bit_entry bit_P; if (!bit_entry(b, 'P', &bit_P)) { - if (bit_P.version == 2) + if (bit_P.version == 2 && bit_P.length >= 0x3c) return nvbios_rd32(b, bit_P.offset + 0x38); } -- 2.30.2