mirror of
https://github.com/torvalds/linux.git
synced 2026-05-23 14:42:08 +02:00
86d2b20644
[Why&How] The GPIO pin table parsers in get_gpio_i2c_info() and bios_parser_get_gpio_pin_info() derive an element count from the VBIOS table_header.structuresize field, then iterate over gpio_pin[] entries. However, GET_IMAGE() only validates that the table header itself fits within the BIOS image. If the VBIOS reports a structuresize larger than the actual mapped data, the loop reads past the end of the BIOS image, causing an out-of-bounds read. Fix this by calling bios_get_image() to validate that the full claimed structuresize is accessible within the BIOS image before entering the loop in both functions. Assisted-by: GitHub Copilot:claude-opus-4-6 Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Ivan Lipski <ivan.lipski@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit ba5e95b43b773ae1bf1f66ee6b31eb774e65afe3) Cc: stable@vger.kernel.org |
||
|---|---|---|
| .. | ||
| dce60 | ||
| dce80 | ||
| dce110 | ||
| dce112 | ||
| bios_parser_common.c | ||
| bios_parser_common.h | ||
| bios_parser_helper.c | ||
| bios_parser_helper.h | ||
| bios_parser_interface.c | ||
| bios_parser_types_internal.h | ||
| bios_parser_types_internal2.h | ||
| bios_parser.c | ||
| bios_parser.h | ||
| bios_parser2.c | ||
| bios_parser2.h | ||
| command_table_helper_struct.h | ||
| command_table_helper.c | ||
| command_table_helper.h | ||
| command_table_helper2.c | ||
| command_table_helper2.h | ||
| command_table.c | ||
| command_table.h | ||
| command_table2.c | ||
| command_table2.h | ||
| Makefile | ||