Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1115732pxf;
        Fri, 2 Apr 2021 01:24:01 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyspbt3288TYJvkFpW9/5BFQ9wReQ/xFt4BY1RDRRHlItRFRNtGTL06O5CZCTsE9EN6aQ4U
X-Received: by 2002:a6b:5c0d:: with SMTP id z13mr9948215ioh.6.1617351841641;
        Fri, 02 Apr 2021 01:24:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617351841; cv=none;
        d=google.com; s=arc-20160816;
        b=FI5jfGqWQtq3+Ao8bqJ7HmlgU60i1nZRjtpd1chwNE+E5Q8LUtp8WKqFzotI+SMV8A
         vbzEEKMLBKgKSmrxaRazbTS7/VQNhbgD+3x53AtAdLCX2G7HxlUTzXh+nj3EAqk2fSWt
         ulVpfOtgq2kBGE1LeEs4qnfCNyzsNeB7k+LHbzZSJDMVnZ88oSkCVfrBg/W0gJRAnQmq
         eYvL0dd8Yjj9WRRipO4bh7/HztPEgq95dmBQOvksQxgeICABho7jjWwzGKaivcjaZ1q1
         JsI1rPKqYpxtEzVZGQ9xnVYYpsORiVy4WIK+StKd987p5WjWqPjfsdDlCX2xDfoV0sS+
         d9dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=ZjqcV3YGwEH0iTCf8RR5561KW+OQKrkFXT2QJKPa5/M=;
        b=Gypeu/Ql/EV+NZ8Grj6WS6l4tppSoPqdopkcAdloRPijWU0tGJgehTM7lsb6ok1H8E
         Leteg6xzClraLd629n0cfCDPRiQdsGDTPKjWQXHTKVGY1SE1raL/JWYAdeUgXzmbnEuP
         c3vlpWscumtMtxpznlGfZw48BiM2tcuc4TQorHGmCFnGDGCam98nxElePRoy+M6KP5l+
         X/q8PvFfAmoU3frq/JJiW/MOODaEIFFR+zfS8DIF6j2/jwz+ygbP+tLAuP5X4RONMb19
         SgcjcL9ZmC9GBCUN37UXeD/0e5RU76xyssqDEYEC9hq8zFsqO8pQ5REvl7xfezpQRtqA
         krjw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 10si6778381ilq.136.2021.04.02.01.23.48;
        Fri, 02 Apr 2021 01:24:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230387AbhDBIXY (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Fri, 2 Apr 2021 04:23:24 -0400
Received: from mx2.suse.de ([195.135.220.15]:43952 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229522AbhDBIXW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Apr 2021 04:23:22 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 93D5EABED;
        Fri,  2 Apr 2021 08:23:20 +0000 (UTC)
From:   Takashi Iwai <tiwai@suse.de>
To:     Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc:     intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM objects
Date:   Fri,  2 Apr 2021 10:23:17 +0200
Message-Id: <20210402082317.871-1-tiwai@suse.de>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

intel_dsm_platform_mux_info() tries to parse the ACPI package data
from _DSM for the debug information, but it assumes the fixed format
without checking what values are stored in the elements actually.
When an unexpected value is returned from BIOS, it may lead to GPF or
NULL dereference, as reported recently.

Add the checks of the contents in the returned values and skip the
values for invalid cases.

v1->v2: Check the info contents before dereferencing, too

BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/gpu/drm/i915/display/intel_acpi.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/display/intel_acpi.c b/drivers/gpu/drm/i915/display/intel_acpi.c
index e21fb14d5e07..833d0c1be4f1 100644
--- a/drivers/gpu/drm/i915/display/intel_acpi.c
+++ b/drivers/gpu/drm/i915/display/intel_acpi.c
@@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle)
 		return;
 	}
 
+	if (!pkg->package.count) {
+		DRM_DEBUG_DRIVER("no connection in _DSM\n");
+		return;
+	}
+
 	connector_count = &pkg->package.elements[0];
 	DRM_DEBUG_DRIVER("MUX info connectors: %lld\n",
 		  (unsigned long long)connector_count->integer.value);
 	for (i = 1; i < pkg->package.count; i++) {
 		union acpi_object *obj = &pkg->package.elements[i];
-		union acpi_object *connector_id = &obj->package.elements[0];
-		union acpi_object *info = &obj->package.elements[1];
+		union acpi_object *connector_id;
+		union acpi_object *info;
+
+		if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) {
+			DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i);
+			continue;
+		}
+
+		connector_id = &obj->package.elements[0];
+		info = &obj->package.elements[1];
+		if (info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) {
+			DRM_DEBUG_DRIVER("Invalid info for MUX obj #%d\n", i);
+			continue;
+		}
+
 		DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n",
 			  (unsigned long long)connector_id->integer.value);
 		DRM_DEBUG_DRIVER("  port id: %s\n",
-- 
2.26.2