summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorBryam Vargas <hexlabsecurity@proton.me>2026-06-20 21:43:34 -0500
committerDmitry Osipenko <dmitry.osipenko@collabora.com>2026-06-30 16:04:27 +0300
commit4e1a53892ba7f8a3e1da6bfc53c83ae7c812dccd (patch)
tree27c8628b299558d85f384849afd424e716e4b876 /drivers
parent64ace85a725957e2359785d2a22cd285eec966de (diff)
drm/virtio: bound EDID block reads to the response buffer
virtio_get_edid_block() validates the read offset only against the device-supplied resp->size field, never against the fixed-size resp->edid array. The EDID block index is driven by the device-supplied extension count, so a malicious virtio-gpu backend can advertise a large size together with a high block count and read far past the array into adjacent kernel memory, which is then surfaced in the parsed EDID (an out-of-bounds read / info leak). Also reject any read whose end exceeds the size of the edid array. Conforming EDID responses stay within the array and are unaffected. Fixes: b4b01b4995fb ("drm/virtio: add edid support") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Link: https://patch.msgid.link/20260620-b4-disp-22bba7bf-v1-1-b95924cee742@proton.me
Diffstat (limited to 'drivers')
-rw-r--r--drivers/gpu/drm/virtio/virtgpu_vq.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
index 67865810a2e7..c8b9475a7472 100644
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -897,7 +897,8 @@ static int virtio_get_edid_block(void *data, u8 *buf,
struct virtio_gpu_resp_edid *resp = data;
size_t start = block * EDID_LENGTH;
- if (start + len > le32_to_cpu(resp->size))
+ if (start + len > le32_to_cpu(resp->size) ||
+ start + len > sizeof(resp->edid))
return -EINVAL;
memcpy(buf, resp->edid + start, len);
return 0;