[PATCH 23/28] drm/amd/display: Validate GPIO pin LUT table size before iterating

Wed, 13 May 2026 07:34:02 -0700 

From: Harry Wentland <[email protected]>

[Why&How]
The GPIO pin table parsers in get_gpio_i2c_info() and
bios_parser_get_gpio_pin_info() derive an element count from the VBIOS
table_header.structuresize field, then iterate over gpio_pin[] entries.
However, GET_IMAGE() only validates that the table header itself fits
within the BIOS image. If the VBIOS reports a structuresize larger than
the actual mapped data, the loop reads past the end of the BIOS image,
causing an out-of-bounds read.

Fix this by calling bios_get_image() to validate that the full claimed
structuresize is accessible within the BIOS image before entering the
loop in both functions.

Cc: [email protected]

Assisted-by: GitHub Copilot:claude-opus-4-6 Mythos

Reviewed-by: Alex Hung <[email protected]>
Signed-off-by: Harry Wentland <[email protected]>
Signed-off-by: Ivan Lipski <[email protected]>
---
 drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c 
b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index b4dd8219b8f0..39668db6d472 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -493,6 +493,10 @@ static enum bp_result get_gpio_i2c_info(
                        - sizeof(struct atom_common_table_header))
                                / sizeof(struct atom_gpio_pin_assignment);
 
+       if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+                           le16_to_cpu(header->table_header.structuresize)))
+               return BP_RESULT_BADBIOSTABLE;
+
        pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;
 
        for (table_index = 0; table_index < count; table_index++) {
@@ -681,6 +685,11 @@ static enum bp_result bios_parser_get_gpio_pin_info(
        count = (le16_to_cpu(header->table_header.structuresize)
                        - sizeof(struct atom_common_table_header))
                                / sizeof(struct atom_gpio_pin_assignment);
+
+       if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+                           le16_to_cpu(header->table_header.structuresize)))
+               return BP_RESULT_BADBIOSTABLE;
+
        for (i = 0; i < count; ++i) {
                if (header->gpio_pin[i].gpio_id != gpio_id)
                        continue;
-- 
2.43.0

Reply via email to