drm/nouveau/bios/bitP: check that table is long enough for optional pointers

Fixes OOB VBIOS accesses on some boards. Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
author: Ben Skeggs <bskeggs@redhat.com> 2017-04-10 18:25:22 -0400
committer: Ben Skeggs <bskeggs@redhat.com> 2017-04-29 08:39:23 -0400
commit: a7cb78bab3671dbad08e5b2f5fd83a6dbda90fe5 (patch)
tree: f744107295dfc8a9841f835b838b420992b8bae8
parent: eef4988ab4c1a99e88e535502a67763a78d51515 (diff)
5 files changed, 5 insertions, 5 deletions
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c
index eaf74eb72983..8ab896dd4e92 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c
@@ -33,7 +33,7 @@ nvbios_boostTe(struct nvkm_bios *bios,
        u32 boost = 0;
        if (!bit_entry(bios, 'P', &bit_P)) {
-                if (bit_P.version == 2)
+                if (bit_P.version == 2 && bit_P.length >= 0x34)
                        boost = nvbios_rd32(bios, bit_P.offset + 0x30);
                if (boost) {
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c
index 5063382d8a6c..7c8c36054f71 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c
@@ -33,7 +33,7 @@ nvbios_cstepTe(struct nvkm_bios *bios,
        u32 cstep = 0;
        if (!bit_entry(bios, 'P', &bit_P)) {
-                if (bit_P.version == 2)
+                if (bit_P.version == 2 && bit_P.length >= 0x38)
                        cstep = nvbios_rd32(bios, bit_P.offset + 0x34);
                if (cstep) {
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
index 456f9ea920dc..0dfb15a27e4e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
@@ -32,7 +32,7 @@ nvbios_fan_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt, u8 *len)
        u32 fan = 0;
        if (!bit_entry(bios, 'P', &bit_P)) {
-                if (bit_P.version == 2 && bit_P.length >= 0x5a)
+                if (bit_P.version == 2 && bit_P.length >= 0x5c)
                        fan = nvbios_rd32(bios, bit_P.offset + 0x58);
                if (fan) {
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c
index 617bfffce4ad..03d2f970a29f 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c
@@ -33,7 +33,7 @@ nvbios_power_budget_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt,
        u32 power_budget;
        if (bit_entry(bios, 'P', &bit_P) || bit_P.version != 2 ||
-            bit_P.length < 0x2c)
+            bit_P.length < 0x30)
                return 0;
        power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c);
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c
index f199270163d2..20b6fc8243e0 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c
@@ -31,7 +31,7 @@ nvbios_vpstate_offset(struct nvkm_bios *b)
        struct bit_entry bit_P;
        if (!bit_entry(b, 'P', &bit_P)) {
-                if (bit_P.version == 2)
+                if (bit_P.version == 2 && bit_P.length >= 0x3c)
                        return nvbios_rd32(b, bit_P.offset + 0x38);
        }
author	Ben Skeggs <bskeggs@redhat.com>	2017-04-10 18:25:22 -0400
committer	Ben Skeggs <bskeggs@redhat.com>	2017-04-29 08:39:23 -0400
commit	a7cb78bab3671dbad08e5b2f5fd83a6dbda90fe5 (patch)
tree	f744107295dfc8a9841f835b838b420992b8bae8
parent	eef4988ab4c1a99e88e535502a67763a78d51515 (diff)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c index eaf74eb72983..8ab896dd4e92 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c
@@ -33,7 +33,7 @@ nvbios_boostTe(struct nvkm_bios *bios,
33	u32 boost = 0;	33	u32 boost = 0;
34		34
35	if (!bit_entry(bios, 'P', &bit_P)) {	35	if (!bit_entry(bios, 'P', &bit_P)) {
36	if (bit_P.version == 2)	36	if (bit_P.version == 2 && bit_P.length >= 0x34)
37	boost = nvbios_rd32(bios, bit_P.offset + 0x30);	37	boost = nvbios_rd32(bios, bit_P.offset + 0x30);
38		38
39	if (boost) {	39	if (boost) {


diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c index 5063382d8a6c..7c8c36054f71 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c
@@ -33,7 +33,7 @@ nvbios_cstepTe(struct nvkm_bios *bios,
33	u32 cstep = 0;	33	u32 cstep = 0;
34		34
35	if (!bit_entry(bios, 'P', &bit_P)) {	35	if (!bit_entry(bios, 'P', &bit_P)) {
36	if (bit_P.version == 2)	36	if (bit_P.version == 2 && bit_P.length >= 0x38)
37	cstep = nvbios_rd32(bios, bit_P.offset + 0x34);	37	cstep = nvbios_rd32(bios, bit_P.offset + 0x34);
38		38
39	if (cstep) {	39	if (cstep) {


diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c index 456f9ea920dc..0dfb15a27e4e 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
@@ -32,7 +32,7 @@ nvbios_fan_table(struct nvkm_bios bios, u8 ver, u8 hdr, u8 cnt, u8 *len)
32	u32 fan = 0;	32	u32 fan = 0;
33		33
34	if (!bit_entry(bios, 'P', &bit_P)) {	34	if (!bit_entry(bios, 'P', &bit_P)) {
35	if (bit_P.version == 2 && bit_P.length >= 0x5a)	35	if (bit_P.version == 2 && bit_P.length >= 0x5c)
36	fan = nvbios_rd32(bios, bit_P.offset + 0x58);	36	fan = nvbios_rd32(bios, bit_P.offset + 0x58);
37		37
38	if (fan) {	38	if (fan) {


diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c index 617bfffce4ad..03d2f970a29f 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c
@@ -33,7 +33,7 @@ nvbios_power_budget_table(struct nvkm_bios bios, u8 ver, u8 hdr, u8 cnt,
33	u32 power_budget;	33	u32 power_budget;
34		34
35	if (bit_entry(bios, 'P', &bit_P) \|\| bit_P.version != 2 \|\|	35	if (bit_entry(bios, 'P', &bit_P) \|\| bit_P.version != 2 \|\|
36	bit_P.length < 0x2c)	36	bit_P.length < 0x30)
37	return 0;	37	return 0;
38		38
39	power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c);	39	power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c);


diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c index f199270163d2..20b6fc8243e0 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c
@@ -31,7 +31,7 @@ nvbios_vpstate_offset(struct nvkm_bios *b)
31	struct bit_entry bit_P;	31	struct bit_entry bit_P;
32		32
33	if (!bit_entry(b, 'P', &bit_P)) {	33	if (!bit_entry(b, 'P', &bit_P)) {
34	if (bit_P.version == 2)	34	if (bit_P.version == 2 && bit_P.length >= 0x3c)
35	return nvbios_rd32(b, bit_P.offset + 0x38);	35	return nvbios_rd32(b, bit_P.offset + 0x38);
36	}	36	}
37		37