Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

Wed, 10 Jun 2026 07:33:03 -0700 

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [High] Missing payload size validation in `drm_parse_tiled_block` allows an 
out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled 
display blocks.
--

commit 3a0b5d7c7c564335f99c7d692448de9241f67bbd
Author: Jani Nikula <[email protected]>

drm/displayid: fix Tiled Display Topology ID size

This commit updates the Tiled Display Topology ID size from 8 to 9 bytes
in the DRM subsystem structures.

> diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
> index 3fa4d2082cd72..11646453aaac9 100644
> --- a/drivers/gpu/drm/drm_connector.c
> +++ b/drivers/gpu/drm/drm_connector.c
[ ... ]
> @@ -3579,14 +3579,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
>   * tile group or NULL if not found.
>   */
>  struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
> -                                            const char topology[8])
> +                                            const char topology_id[9])
>  {
>       struct drm_tile_group *tg;
>       int id;
>  
>       mutex_lock(&dev->mode_config.idr_mutex);
>       idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) {
> -             if (!memcmp(tg->group_data, topology, 8)) {
> +             if (!memcmp(tg->group_data, topology_id, 
> sizeof(tg->group_data))) {

[Severity: High]
This isn't a bug introduced by this patch, but could this lead to an
out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled
display blocks?

Looking at drm_parse_tiled_block() in drivers/gpu/drm/drm_edid.c, the generic
block is cast to a displayid_tiled_block without validating that the payload
size (block->num_bytes) is large enough:

drivers/gpu/drm/drm_edid.c:drm_parse_tiled_block() {
    ...
    const struct displayid_tiled_block *tile =
        (struct displayid_tiled_block *)block;
    ...
    tg = drm_mode_get_tile_group(connector->dev, tile->topology_id);
}

If a malformed EDID provides a tiled block with a short length near the end
of the allocated EDID buffer, comparing 9 bytes here (or copying them down in
drm_mode_create_tile_group()) might read past the bounds of the EDID buffer.

[ ... ]

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to