Potential security issue in atombios
Brief summary of the problem:
Sorry if this is not the place to put this, but while trying to implement a atombios interpreter for a different project, I found a potential stack vulnerability in the atombios interpreter.
It stems from the fact that the parameter space is a preallocated array of fixed size, for example in amdgpu_atom_asic_init
int amdgpu_atom_asic_init(struct atom_context *ctx)
{
int hwi = CU16(ctx->data_table + ATOM_DATA_FWI_PTR);
uint32_t ps[16];
int ret;
memset(ps, 0, 64);
ps[0] = cpu_to_le32(CU32(hwi + ATOM_FWI_DEFSCLK_PTR));
ps[1] = cpu_to_le32(CU32(hwi + ATOM_FWI_DEFMCLK_PTR));
if (!ps[0] || !ps[1])
return 1;
if (!CU16(ctx->cmd_table + 4 + 2 * ATOM_CMD_INIT))
return 1;
ret = amdgpu_atom_execute_table(ctx, ATOM_CMD_INIT, ps);
if (ret)
return ret;
memset(ps, 0, 64);
return ret;
}
The size of the parameter space seem to be never checked afterwards, for example in atom_put_dst:
case ATOM_ARG_PS:
idx = U8(*ptr);
(*ptr)++;
DEBUG("PS[0x%02X]", idx);
ctx->ps[idx] = cpu_to_le32(val);
break;
Edited by Alexander Richards