Re: [PATCH] drm/virtio: bound EDID block reads to the response buffer

From: Dmitry Osipenko

Date: Tue Jun 30 2026 - 09:24:50 EST


On 6/21/26 05:43, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> virtio_get_edid_block() validates the read offset only against the
> device-supplied resp->size field, never against the fixed-size resp->edid
> array. The EDID block index is driven by the device-supplied extension
> count, so a malicious virtio-gpu backend can advertise a large size
> together with a high block count and read far past the array into adjacent
> kernel memory, which is then surfaced in the parsed EDID (an out-of-bounds
> read / info leak).
>
> Also reject any read whose end exceeds the size of the edid array.
> Conforming EDID responses stay within the array and are unaffected.
>
> Fixes: b4b01b4995fb ("drm/virtio: add edid support")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
> ---
> drivers/gpu/drm/virtio/virtgpu_vq.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
> index 67865810a2e7..c8b9475a7472 100644
> --- a/drivers/gpu/drm/virtio/virtgpu_vq.c
> +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
> @@ -897,7 +897,8 @@ static int virtio_get_edid_block(void *data, u8 *buf,
> struct virtio_gpu_resp_edid *resp = data;
> size_t start = block * EDID_LENGTH;
>
> - if (start + len > le32_to_cpu(resp->size))
> + if (start + len > le32_to_cpu(resp->size) ||
> + start + len > sizeof(resp->edid))
> return -EINVAL;
> memcpy(buf, resp->edid + start, len);
> return 0;

Applied to misc-fixes, thanks!

--
Best regards,
Dmitry