Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
IronPort-SDR: 6X284qua5KEzvc9w5bAR5IWfLRW4AFLTWZCLxef9vId0i8AHJTyOL85lKG/0wbWfM/HnqtAYx7
 HO42nxorwuSA==
IronPort-SDR: MH5hwMcGRORpjQZqM8n+1N8J6UzzEX28yImqYCH1YSGUEV6xgVXxn74zn82rdoSTBPD2yGtNDn
 MgQHjQjBS7uQ==
Date:   Wed, 7 Apr 2021 19:34:46 +0300
From:   Ville =?iso-8859-1?Q?Syrj=E4l=E4?= <ville.syrjala@linux.intel.com>
To:     Takashi Iwai <tiwai@suse.de>
Cc:     Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM
 objects
Message-ID: <YG3fJq6wkeQGafSS@intel.com>
References: <20210402082317.871-1-tiwai@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20210402082317.871-1-tiwai@suse.de>
Precedence: bulk

On Fri, Apr 02, 2021 at 10:23:17AM +0200, Takashi Iwai wrote:
> intel_dsm_platform_mux_info() tries to parse the ACPI package data
> from _DSM for the debug information, but it assumes the fixed format
> without checking what values are stored in the elements actually.
> When an unexpected value is returned from BIOS, it may lead to GPF or
> NULL dereference, as reported recently.
> 
> Add the checks of the contents in the returned values and skip the
> values for invalid cases.
> 
> v1->v2: Check the info contents before dereferencing, too
> 
> BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  drivers/gpu/drm/i915/display/intel_acpi.c | 22 ++++++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/display/intel_acpi.c b/drivers/gpu/drm/i915/display/intel_acpi.c
> index e21fb14d5e07..833d0c1be4f1 100644
> --- a/drivers/gpu/drm/i915/display/intel_acpi.c
> +++ b/drivers/gpu/drm/i915/display/intel_acpi.c
> @@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle)
>  		return;
>  	}
>  
> +	if (!pkg->package.count) {
> +		DRM_DEBUG_DRIVER("no connection in _DSM\n");
> +		return;
> +	}
> +
>  	connector_count = &pkg->package.elements[0];
>  	DRM_DEBUG_DRIVER("MUX info connectors: %lld\n",
>  		  (unsigned long long)connector_count->integer.value);
>  	for (i = 1; i < pkg->package.count; i++) {
>  		union acpi_object *obj = &pkg->package.elements[i];
> -		union acpi_object *connector_id = &obj->package.elements[0];
> -		union acpi_object *info = &obj->package.elements[1];
> +		union acpi_object *connector_id;
> +		union acpi_object *info;
> +
> +		if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) {
> +			DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i);
> +			continue;
> +		}
> +
> +		connector_id = &obj->package.elements[0];

You don't want to check connector_id->type as well?

> +		info = &obj->package.elements[1];
> +		if (info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) {
> +			DRM_DEBUG_DRIVER("Invalid info for MUX obj #%d\n", i);
> +			continue;
> +		}
> +
>  		DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n",
>  			  (unsigned long long)connector_id->integer.value);
>  		DRM_DEBUG_DRIVER("  port id: %s\n",
> -- 
> 2.26.2
> 
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Ville Syrj?l?
Intel