From: Luca Coelho Date: Tue, 28 May 2024 11:29:00 +0000 (+0300) Subject: drm/i915/bios: double check array-boundary in parse_sdvo_lvds_data X-Git-Tag: v6.11-rc1~141^2~20^2~214 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2c2f2df6f01174eefc1ea2aa9aef8b1a6c69575;p=thirdparty%2Fkernel%2Flinux.git drm/i915/bios: double check array-boundary in parse_sdvo_lvds_data During static analysis, a concern was raised that we may access the dtd->dtd[] array out of bounds, because we are not checking whether the index we use is larger than the array. This should not be a problem as is, because the enumeration that is used for this index comes from "panel_type", which uses an enumeration with 4 items. But if this enumeration is ever changed, it can lead to hard-to-detect bugs, so better double-check it before using it as an index to the array. Signed-off-by: Luca Coelho Reviewed-by: Rodrigo Vivi Signed-off-by: Suraj Kandpal Link: https://patchwork.freedesktop.org/patch/msgid/20240528112901.476068-2-luciano.coelho@intel.com --- diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index b0a49b2f957f5..128fe9250f400 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -1120,6 +1120,18 @@ parse_sdvo_lvds_data(struct drm_i915_private *i915, if (!dtd) return; + /* + * This should not happen, as long as the panel_type + * enumeration doesn't grow over 4 items. But if it does, it + * could lead to hard-to-detect bugs, so better double-check + * it here to be sure. + */ + if (index >= ARRAY_SIZE(dtd->dtd)) { + drm_err(&i915->drm, "index %d is larger than dtd->dtd[4] array\n", + index); + return; + } + panel_fixed_mode = kzalloc(sizeof(*panel_fixed_mode), GFP_KERNEL); if (!panel_fixed_mode) return;