Skip to content

Commit b6a37a9

Browse files
tiwairodrigovivi
tiwai
authored and
rodrigovivi
committed
drm/i915: Fix invalid access to ACPI _DSM objects
intel_dsm_platform_mux_info() tries to parse the ACPI package data from _DSM for the debug information, but it assumes the fixed format without checking what values are stored in the elements actually. When an unexpected value is returned from BIOS, it may lead to GPF or NULL dereference, as reported recently. Add the checks of the contents in the returned values and skip the values for invalid cases. v1->v2: Check the info contents before dereferencing, too BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074 Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Ville Syrjälä <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 337d7a1) Signed-off-by: Rodrigo Vivi <[email protected]>
1 parent e49d033 commit b6a37a9

File tree

1 file changed

+20
-2
lines changed

1 file changed

+20
-2
lines changed

drivers/gpu/drm/i915/display/intel_acpi.c

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle)
8484
return;
8585
}
8686

87+
if (!pkg->package.count) {
88+
DRM_DEBUG_DRIVER("no connection in _DSM\n");
89+
return;
90+
}
91+
8792
connector_count = &pkg->package.elements[0];
8893
DRM_DEBUG_DRIVER("MUX info connectors: %lld\n",
8994
(unsigned long long)connector_count->integer.value);
9095
for (i = 1; i < pkg->package.count; i++) {
9196
union acpi_object *obj = &pkg->package.elements[i];
92-
union acpi_object *connector_id = &obj->package.elements[0];
93-
union acpi_object *info = &obj->package.elements[1];
97+
union acpi_object *connector_id;
98+
union acpi_object *info;
99+
100+
if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) {
101+
DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i);
102+
continue;
103+
}
104+
105+
connector_id = &obj->package.elements[0];
106+
info = &obj->package.elements[1];
107+
if (info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) {
108+
DRM_DEBUG_DRIVER("Invalid info for MUX obj #%d\n", i);
109+
continue;
110+
}
111+
94112
DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n",
95113
(unsigned long long)connector_id->integer.value);
96114
DRM_DEBUG_DRIVER(" port id: %s\n",

0 commit comments

Comments
 (0)