FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 09-03-2012, 07:56 AM
Jonathan Nieder
 
Default Bug#685604: Radeon may try to read past end of video bios (memory allocation in acpi driver)

tags 685604 + upstream moreinfo
quit

Hi Pauli,

Pauli wrote:

> I build a custom debian kernel using config with debug options turned
> on. That caught in boot a memory read past end of memory allocation. The
> issue happens in video bios reading code that calls to ACPI to fetch
> video bios. Memory allocation for returned video bios happens in ACPI
> driver but radeon failed to check the amount of data returned by ACPI.
>
> There is upstream fix for the issue. But it is split to 3 separate
> commits to fix the relevant code path. I'm currently running the
> backported patch with 3.2.0-3

Thanks, and sorry for the slow response.

Patches you listed:

a3f83ab1a717 drm/radeon: fix invalid memory access in radeon_atrm_get_bios
211fa4fc4e13 drm/radeon: finish getting bios earlier
de47a9cd6277 drm/radeon: fix use after free in ATRM bios reading code

Before these patches, radeon_atrm_call() looks like so:

static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios,
int offset, int len)
{
...
status = <call atrm_handle, offset, len>;
if (ACPI_FAILURE(status)) {
... handle error ...
return -ENODEV;
}

obj = buffer.pointer;
memcpy(bios + offset, obj->buffer.pointer, len);
kfree(buffer.pointer);
return len;
}

This is called in a loop with len == ATRM_BIOS_PAGE, to get the
BIOS one page at a time.

The bug: the ACPI call can return a result of less than 4096 bytes,
meaning this memcpy() will read uninitialized memory and trip
debugging tools.

The first of those three patches should be safe alone and should be
enough to fix that. Does your testing yield a different result?

Curious,
Jonathan


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120903075602.GA3277@mannheim-rule.local
 

Thread Tools




All times are GMT. The time now is 12:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org