drm/i915/bios: make sure to check vbt size

When we call intel_bios_is_valid_vbt(), size may not actually be the
size of the VBT, but rather the size of the blob the VBT is contained
in. For example, when mapping the PCI oprom, size will be the entire
oprom size. We don't want to read beyond what is reported to be the
VBT. So make sure we vbt->vbt_size makes sense and use that for
the latter checks.

v2: check for vbt_size after checking for vbt signature and give it a
more meaningful error message (from Jani)

Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191108003602.33526-3-lucas.demarchi@intel.com

diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index 5042d71b30041ea3e0d162d1fe9156ea6f4c210e..f345f8d900d245d88251e765743ab406714910ea 100644 (file)
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -1772,6 +1772,13 @@ bool intel_bios_is_valid_vbt(const void *buf, size_t size)
                return false;
        }
 
+       if (vbt->vbt_size > size) {
+               DRM_DEBUG_DRIVER("VBT incomplete (vbt_size overflows)\n");
+               return false;
+       }
+
+       size = vbt->vbt_size;
+
        if (range_overflows_t(size_t,
                              vbt->bdb_offset,
                              sizeof(struct bdb_header),