drm/amdkfd: Fix infinite loop parsing CRAT with zero subtype length

Malformed ACPI CRAT tables can advertise a zero or undersized subtype
length. The parser then fails to advance the cursor and loops forever
while the remaining image still looks large enough for a generic header.

Validate sub_type_hdr->length on each iteration before parsing or
advancing. Return -EINVAL and warn when length is zero or smaller than
the generic subtype header.

Signed-off-by: Yongqiang Sun <Yongqiang.Sun@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
index af2ae144f5087df0ac62c3917dc579fec398c3e1..f28259d138182469fc1b2ecab443018808658139 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
@@ -1404,6 +1404,14 @@ int kfd_parse_crat_table(void *crat_image, struct list_head *device_list,
        sub_type_hdr = (struct crat_subtype_generic *)(crat_table+1);
        while ((char *)sub_type_hdr + sizeof(struct crat_subtype_generic) <
                        ((char *)crat_image) + image_len) {
+               if (!sub_type_hdr->length ||
+                   sub_type_hdr->length < sizeof(struct crat_subtype_generic)) {
+                       pr_warn("Invalid CRAT subtype length %u\n",
+                               sub_type_hdr->length);
+                       ret = -EINVAL;
+                       break;
+               }
+
                if (sub_type_hdr->flags & CRAT_SUBTYPE_FLAGS_ENABLED) {
                        ret = kfd_parse_subtype(sub_type_hdr, device_list);
                        if (ret)