From: Kent Russell Date: Tue, 24 Mar 2020 09:29:46 +0000 (-0400) Subject: drm/amdgpu: Fix FRU data checking X-Git-Tag: v5.10.7~2352^2~20^2~246 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=714309f0f3e32a52beca44460986caf8d9e143f3;p=platform%2Fkernel%2Flinux-rpi.git drm/amdgpu: Fix FRU data checking Ensure that when we memcpy, we don't end up copying more data than the struct supports. For now, this is 16 characters for product number and serial number, and 32 chars for product name Signed-off-by: Kent Russell Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher --- diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c index 6f5e98f..bfe4259 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c @@ -116,6 +116,13 @@ int amdgpu_fru_get_product_info(struct amdgpu_device *adev) return size; } + /* Product name should only be 32 characters. Any more, + * and something could be wrong. Cap it at 32 to be safe + */ + if (size > 32) { + DRM_WARN("FRU Product Number is larger than 32 characters. This is likely a mistake"); + size = 32; + } /* Start at 2 due to buff using fields 0 and 1 for the address */ memcpy(adev->product_name, &buff[2], size); adev->product_name[size] = '\0'; @@ -127,6 +134,13 @@ int amdgpu_fru_get_product_info(struct amdgpu_device *adev) return size; } + /* Product number should only be 16 characters. Any more, + * and something could be wrong. Cap it at 16 to be safe + */ + if (size > 16) { + DRM_WARN("FRU Product Number is larger than 16 characters. This is likely a mistake"); + size = 16; + } memcpy(adev->product_number, &buff[2], size); adev->product_number[size] = '\0'; @@ -146,6 +160,13 @@ int amdgpu_fru_get_product_info(struct amdgpu_device *adev) return size; } + /* Serial number should only be 16 characters. Any more, + * and something could be wrong. Cap it at 16 to be safe + */ + if (size > 16) { + DRM_WARN("FRU Serial Number is larger than 16 characters. This is likely a mistake"); + size = 16; + } memcpy(adev->serial, &buff[2], size); adev->serial[size] = '\0';