On 6/21/26 05:43, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <[email protected]>
> 
> virtio_get_edid_block() validates the read offset only against the
> device-supplied resp->size field, never against the fixed-size resp->edid
> array. The EDID block index is driven by the device-supplied extension
> count, so a malicious virtio-gpu backend can advertise a large size
> together with a high block count and read far past the array into adjacent
> kernel memory, which is then surfaced in the parsed EDID (an out-of-bounds
> read / info leak).
> 
> Also reject any read whose end exceeds the size of the edid array.
> Conforming EDID responses stay within the array and are unaffected.
> 
> Fixes: b4b01b4995fb ("drm/virtio: add edid support")
> Cc: [email protected]
> Signed-off-by: Bryam Vargas <[email protected]>
> ---
>  drivers/gpu/drm/virtio/virtgpu_vq.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c 
> b/drivers/gpu/drm/virtio/virtgpu_vq.c
> index 67865810a2e7..c8b9475a7472 100644
> --- a/drivers/gpu/drm/virtio/virtgpu_vq.c
> +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
> @@ -897,7 +897,8 @@ static int virtio_get_edid_block(void *data, u8 *buf,
>       struct virtio_gpu_resp_edid *resp = data;
>       size_t start = block * EDID_LENGTH;
>  
> -     if (start + len > le32_to_cpu(resp->size))
> +     if (start + len > le32_to_cpu(resp->size) ||
> +         start + len > sizeof(resp->edid))
>               return -EINVAL;
>       memcpy(buf, resp->edid + start, len);
>       return 0;

Applied to misc-fixes, thanks!

-- 
Best regards,
Dmitry

Reply via email to