On 6/21/26 05:43, Bryam Vargas via B4 Relay wrote: > From: Bryam Vargas <[email protected]> > > virtio_get_edid_block() validates the read offset only against the > device-supplied resp->size field, never against the fixed-size resp->edid > array. The EDID block index is driven by the device-supplied extension > count, so a malicious virtio-gpu backend can advertise a large size > together with a high block count and read far past the array into adjacent > kernel memory, which is then surfaced in the parsed EDID (an out-of-bounds > read / info leak). > > Also reject any read whose end exceeds the size of the edid array. > Conforming EDID responses stay within the array and are unaffected. > > Fixes: b4b01b4995fb ("drm/virtio: add edid support") > Cc: [email protected] > Signed-off-by: Bryam Vargas <[email protected]> > --- > drivers/gpu/drm/virtio/virtgpu_vq.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c > b/drivers/gpu/drm/virtio/virtgpu_vq.c > index 67865810a2e7..c8b9475a7472 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_vq.c > +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c > @@ -897,7 +897,8 @@ static int virtio_get_edid_block(void *data, u8 *buf, > struct virtio_gpu_resp_edid *resp = data; > size_t start = block * EDID_LENGTH; > > - if (start + len > le32_to_cpu(resp->size)) > + if (start + len > le32_to_cpu(resp->size) || > + start + len > sizeof(resp->edid)) > return -EINVAL; > memcpy(buf, resp->edid + start, len); > return 0;
Applied to misc-fixes, thanks! -- Best regards, Dmitry

