Bug#685604: Radeon may try to read past end of video bios (memory allocation in acpi driver)
tags 685604 + upstream moreinfo
quit
Hi Pauli,
Pauli wrote:
> I build a custom debian kernel using config with debug options turned
> on. That caught in boot a memory read past end of memory allocation. The
> issue happens in video bios reading code that calls to ACPI to fetch
> video bios. Memory allocation for returned video bios happens in ACPI
> driver but radeon failed to check the amount of data returned by ACPI.
>
> There is upstream fix for the issue. But it is split to 3 separate
> commits to fix the relevant code path. I'm currently running the
> backported patch with 3.2.0-3
Thanks, and sorry for the slow response.
Patches you listed:
a3f83ab1a717 drm/radeon: fix invalid memory access in radeon_atrm_get_bios
211fa4fc4e13 drm/radeon: finish getting bios earlier
de47a9cd6277 drm/radeon: fix use after free in ATRM bios reading code
Before these patches, radeon_atrm_call() looks like so:
static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios,
int offset, int len)
{
...
status = <call atrm_handle, offset, len>;
if (ACPI_FAILURE(status)) {
... handle error ...
return -ENODEV;
}
obj = buffer.pointer;
memcpy(bios + offset, obj->buffer.pointer, len);
kfree(buffer.pointer);
return len;
}
This is called in a loop with len == ATRM_BIOS_PAGE, to get the
BIOS one page at a time.
The bug: the ACPI call can return a result of less than 4096 bytes,
meaning this memcpy() will read uninitialized memory and trip
debugging tools.
The first of those three patches should be safe alone and should be
enough to fix that. Does your testing yield a different result?
Curious,
Jonathan
Reply to: