diff options
| author |   Harry Wentland <harry.wentland@amd.com> | 2026-05-04 11:14:45 -0400 |
|---|---|---|
| committer |   Alex Deucher <alexander.deucher@amd.com> | 2026-05-19 12:13:07 -0400 |
| commit | cd86529ec61474a38c3837fb7823790a7c3f8cce (patch) | |
| tree | 41524159f7829b4d06e25a1dca3dbcf1ab3ec059 /include/linux/hsi/ssh:/git@git.zx2c4.com/git: | |
| parent | drm/amdkfd: Check bounds for allocate_sdma_queue restore_sdma_id (diff) | |
drm/amd/display: Fix integer overflow in bios_get_image()
[Why&How]
The bounds check in bios_get_image() computes 'offset + size' using
unsigned 32-bit arithmetic before comparing against bios_size. If a
VBIOS image contains a near-UINT32_MAX offset the addition wraps to a
small value, the comparison passes, and the function returns a wild
pointer past the VBIOS mapping.
Additionally, the comparison uses '<' (strict), which incorrectly
rejects the valid exact-fit case where offset + size == bios_size.
Fix both issues by restructuring the check to avoid the addition
entirely: first reject if offset alone exceeds bios_size, then check
size against the remaining space (bios_size - offset). This eliminates
the overflow and correctly permits exact-fit accesses.
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d40fb392af659c4a02b560319f226842f6ec1a95)
Cc: stable@vger.kernel.org
Diffstat (limited to 'include/linux/hsi/ssh:/git@git.zx2c4.com/git:')
0 files changed, 0 insertions, 0 deletions