:p
atchew
Login
Per the VBE 2.0 specification, the VBE controller information is 512 bytes long when the "VBE2" signature is provided, instead of the original 256 bytes. src/bootsplash.c uses the original pre-VBE-2.0 256-byte structure while also filling in the "VBE2" signature, so a video BIOS that makes use of the VBE2 OemData area could write past the end of the allocated region. The original bootsplash code did not have this bug; it was introduced when the bootsplash VBE structures were merged with the VGA ROM struct definitions. Fixes: 69e941c159ed ("Merge bootsplash and VGA ROM vbe structure definitions") Signed-off-by: Daniel Verkamp <daniel@drv.nu> --- src/std/vbe.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/std/vbe.h b/src/std/vbe.h index XXXXXXX..XXXXXXX 100644 --- a/src/std/vbe.h +++ b/src/std/vbe.h @@ -XXX,XX +XXX,XX @@ struct vbe_info { struct segoff_s oem_product_string; struct segoff_s oem_revision_string; u8 reserved[222]; + /* VBE 2.0 */ + u8 oem_data[256]; } PACKED; struct vbe_mode_info { -- 2.43.0 _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org
Per the VBE 2.0 specification, the VBE controller information is 512 bytes long when the "VBE2" signature is provided, instead of the original 256 bytes. src/bootsplash.c uses the original pre-VBE-2.0 256-byte structure while also filling in the "VBE2" signature, so a video BIOS that makes use of the VBE2 OemData area could write past the end of the allocated region. The original bootsplash code did not have this bug; it was introduced when the bootsplash VBE structures were merged with the VGA ROM struct definitions. Fixes: 69e941c159ed ("Merge bootsplash and VGA ROM vbe structure definitions") Signed-off-by: Daniel Verkamp <daniel@drv.nu> --- v2 fixes the inverse bug introduced by the original patch - the vgabios would memset too much data if the caller did not request VBE2 data. src/std/vbe.h | 2 ++ vgasrc/vbe.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/std/vbe.h b/src/std/vbe.h index XXXXXXX..XXXXXXX 100644 --- a/src/std/vbe.h +++ b/src/std/vbe.h @@ -XXX,XX +XXX,XX @@ struct vbe_info { struct segoff_s oem_product_string; struct segoff_s oem_revision_string; u8 reserved[222]; + /* VBE 2.0 */ + u8 oem_data[256]; } PACKED; struct vbe_mode_info { diff --git a/vgasrc/vbe.c b/vgasrc/vbe.c index XXXXXXX..XXXXXXX 100644 --- a/vgasrc/vbe.c +++ b/vgasrc/vbe.c @@ -XXX,XX +XXX,XX @@ vbe_104f00(struct bregs *regs) { u16 seg = regs->es; struct vbe_info *info = (void*)(regs->di+0); + size_t info_size = offsetof(struct vbe_info, oem_data); if (GET_FARVAR(seg, info->signature) == VBE2_SIGNATURE) { dprintf(4, "Get VBE Controller: VBE2 Signature found\n"); + info_size = sizeof(*info); } else if (GET_FARVAR(seg, info->signature) == VESA_SIGNATURE) { dprintf(4, "Get VBE Controller: VESA Signature found\n"); } else { dprintf(4, "Get VBE Controller: Invalid Signature\n"); } - memset_far(seg, info, 0, sizeof(*info)); + memset_far(seg, info, 0, info_size); SET_FARVAR(seg, info->signature, VESA_SIGNATURE); -- 2.43.0 _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org