On Wed, 10 Jun 2026, [email protected] wrote: > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) > to consider: > > Pre-existing issues: > - [High] Missing payload size validation in `drm_parse_tiled_block` allows an > out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled > display blocks. > -- > > commit 3a0b5d7c7c564335f99c7d692448de9241f67bbd > Author: Jani Nikula <[email protected]> > > drm/displayid: fix Tiled Display Topology ID size > > This commit updates the Tiled Display Topology ID size from 8 to 9 bytes > in the DRM subsystem structures. > >> diff --git a/drivers/gpu/drm/drm_connector.c >> b/drivers/gpu/drm/drm_connector.c >> index 3fa4d2082cd72..11646453aaac9 100644 >> --- a/drivers/gpu/drm/drm_connector.c >> +++ b/drivers/gpu/drm/drm_connector.c > [ ... ] >> @@ -3579,14 +3579,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group); >> * tile group or NULL if not found. >> */ >> struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev, >> - const char topology[8]) >> + const char topology_id[9]) >> { >> struct drm_tile_group *tg; >> int id; >> >> mutex_lock(&dev->mode_config.idr_mutex); >> idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) { >> - if (!memcmp(tg->group_data, topology, 8)) { >> + if (!memcmp(tg->group_data, topology_id, >> sizeof(tg->group_data))) { > > [Severity: High] > This isn't a bug introduced by this patch, but could this lead to an > out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled > display blocks? > > Looking at drm_parse_tiled_block() in drivers/gpu/drm/drm_edid.c, the generic > block is cast to a displayid_tiled_block without validating that the payload > size (block->num_bytes) is large enough: > > drivers/gpu/drm/drm_edid.c:drm_parse_tiled_block() { > ... > const struct displayid_tiled_block *tile = > (struct displayid_tiled_block *)block; > ... > tg = drm_mode_get_tile_group(connector->dev, tile->topology_id); > } > > If a malformed EDID provides a tiled block with a short length near the end > of the allocated EDID buffer, comparing 9 bytes here (or copying them down in > drm_mode_create_tile_group()) might read past the bounds of the EDID buffer.
Yeah, maybe you should start reading the mailing list [1]. This patch is in response to the fix for that very issue. BR, Jani. [1] https://lore.kernel.org/r/[email protected] -- Jani Nikula, Intel
