drm/displayid: add displayid_get_header() and check bounds better

[ Upstream commit 5bacecc3c56131c31f18b23d366f2184328fd9cf ]

Add a helper to get a pointer to struct displayid_header. To be
pedantic, add buffer overflow checks to not touch the base if that
itself would overflow.

Cc: Iaroslav Boliukin <iam@lach.pw>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/4a03b3a5132642d3cdb6d4c2641422955a917292.1676580180.git.jani.nikula@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/drm_displayid.c b/drivers/gpu/drm/drm_displayid.c
index 38ea820..7d03159 100644 (file)
--- a/drivers/gpu/drm/drm_displayid.c
+++ b/drivers/gpu/drm/drm_displayid.c
@@ -7,13 +7,28 @@
 #include <drm/drm_edid.h>
 #include <drm/drm_print.h>
 
+static const struct displayid_header *
+displayid_get_header(const u8 *displayid, int length, int index)
+{
+       const struct displayid_header *base;
+
+       if (sizeof(*base) > length - index)
+               return ERR_PTR(-EINVAL);
+
+       base = (const struct displayid_header *)&displayid[index];
+
+       return base;
+}
+
 static int validate_displayid(const u8 *displayid, int length, int idx)
 {
        int i, dispid_length;
        u8 csum = 0;
        const struct displayid_header *base;
 
-       base = (const struct displayid_header *)&displayid[idx];
+       base = displayid_get_header(displayid, length, idx);
+       if (IS_ERR(base))
+               return PTR_ERR(base);
 
        DRM_DEBUG_KMS("base revision 0x%x, length %d, %d %d\n",
                      base->rev, base->bytes, base->prod_id, base->ext_count);