From nobody Tue May 14 22:32:48 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of seabios.org designates
 78.46.105.101 as permitted sender) client-ip=78.46.105.101;
 envelope-from=seabios-bounces@seabios.org; helo=coreboot.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of seabios.org designates 78.46.105.101 as
 permitted sender)  smtp.mailfrom=seabios-bounces@seabios.org
Return-Path: <seabios-bounces@seabios.org>
Received: from coreboot.org (coreboot.org [78.46.105.101]) by mx.zohomail.com
	with SMTPS id 1709802851584358.5981959483154;
 Thu, 7 Mar 2024 01:14:11 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	by coreboot.org (Postfix) with ESMTPA id 056EC244BD;
	Thu,  7 Mar 2024 09:14:04 +0000 (UTC)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	by coreboot.org (Postfix) with ESMTP id B068824363
	for <seabios@seabios.org>; Thu,  7 Mar 2024 09:13:44 +0000 (UTC)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest
 SHA256)
	(No client certificate requested)
	(Authenticated sender: daniel@drv.nu)
	by oak.drv.nu (Postfix) with ESMTPSA id A5F65103045;
	Thu,  7 Mar 2024 01:13:42 -0800 (PST)
From: Daniel Verkamp <daniel@drv.nu>
To: seabios@seabios.org
Date: Thu,  7 Mar 2024 01:08:27 -0800
Message-ID: <20240307091317.2655196-1-daniel@drv.nu>
MIME-Version: 1.0
X-Spam-Level: **
Message-ID-Hash: DZDYLAFOYQUWVAMZFIM254QSG3QA4ZWU
X-Message-ID-Hash: DZDYLAFOYQUWVAMZFIM254QSG3QA4ZWU
X-MailFrom: daniel@drv.nu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-seabios.seabios.org-0;
 header-match-seabios.seabios.org-1; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.6b1
Precedence: list
Subject: [SeaBIOS] [PATCH v2] vbe: Add VBE 2.0+ OemData field to struct
 vbe_info
List-Id: SeaBIOS mailing list <seabios.seabios.org>
Archived-At: 
 <https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/message/DZDYLAFOYQUWVAMZFIM254QSG3QA4ZWU/>
List-Archive: <https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/>
List-Help: <mailto:seabios-request@seabios.org?subject=help>
List-Owner: <mailto:seabios-owner@seabios.org>
List-Post: <mailto:seabios@seabios.org>
List-Subscribe: <mailto:seabios-join@seabios.org>
List-Unsubscribe: <mailto:seabios-leave@seabios.org>
Content-Transfer-Encoding: quoted-printable
Authentication-Results: coreboot.org;
	auth=pass smtp.auth=mailman@coreboot.org
 smtp.mailfrom=seabios-bounces@seabios.org
X-Spamd-Bar: /
X-ZM-MESSAGEID: 1709802853516100001
Content-Type: text/plain; charset="utf-8"

Per the VBE 2.0 specification, the VBE controller information is 512
bytes long when the "VBE2" signature is provided, instead of the
original 256 bytes.

src/bootsplash.c uses the original pre-VBE-2.0 256-byte structure while
also filling in the "VBE2" signature, so a video BIOS that makes use of
the VBE2 OemData area could write past the end of the allocated region.

The original bootsplash code did not have this bug; it was introduced
when the bootsplash VBE structures were merged with the VGA ROM struct
definitions.

Fixes: 69e941c159ed ("Merge bootsplash and VGA ROM vbe structure definition=
s")
Signed-off-by: Daniel Verkamp <daniel@drv.nu>
---

v2 fixes the inverse bug introduced by the original patch - the vgabios
would memset too much data if the caller did not request VBE2 data.

 src/std/vbe.h | 2 ++
 vgasrc/vbe.c  | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/std/vbe.h b/src/std/vbe.h
index 94b4ad86..fe96f5ec 100644
--- a/src/std/vbe.h
+++ b/src/std/vbe.h
@@ -18,6 +18,8 @@ struct vbe_info {
     struct segoff_s oem_product_string;
     struct segoff_s oem_revision_string;
     u8 reserved[222];
+    /* VBE 2.0 */
+    u8 oem_data[256];
 } PACKED;
=20
 struct vbe_mode_info {
diff --git a/vgasrc/vbe.c b/vgasrc/vbe.c
index 66afb011..91abc9ab 100644
--- a/vgasrc/vbe.c
+++ b/vgasrc/vbe.c
@@ -32,16 +32,18 @@ vbe_104f00(struct bregs *regs)
 {
     u16 seg =3D regs->es;
     struct vbe_info *info =3D (void*)(regs->di+0);
+    size_t info_size =3D offsetof(struct vbe_info, oem_data);
=20
     if (GET_FARVAR(seg, info->signature) =3D=3D VBE2_SIGNATURE) {
         dprintf(4, "Get VBE Controller: VBE2 Signature found\n");
+        info_size =3D sizeof(*info);
     } else if (GET_FARVAR(seg, info->signature) =3D=3D VESA_SIGNATURE) {
         dprintf(4, "Get VBE Controller: VESA Signature found\n");
     } else {
         dprintf(4, "Get VBE Controller: Invalid Signature\n");
     }
=20
-    memset_far(seg, info, 0, sizeof(*info));
+    memset_far(seg, info, 0, info_size);
=20
     SET_FARVAR(seg, info->signature, VESA_SIGNATURE);
=20
--=20
2.43.0

_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org