In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Bound VBIOS record-chain walk loops

[Why & How]
All record-chain walk loops in bios_parser.c and bios_parser2.c use
for(;;) and only terminate on a 0xFF record_type sentinel or zero
record_size. A malformed VBIOS image missing the terminator record
causes unbounded iteration at probe time, potentially hundreds of
thousands of iterations with record_size=1. In the final iterations
near the BIOS image boundary, struct casts beyond the 2-byte header
validated by GET_IMAGE can also read out of bounds.

Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)
iterations. The atombios.h defines up to 22 distinct record types
and atomfirmware.h has 13. Assuming an average of less than 10
records per type (which is reasonable since most are connector-
based) 256 is a generous upper bound.

(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)

https://git.kernel.org/stable/c/0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1

https://git.kernel.org/stable/c/2645e3caf7e013189da9c6ff621d006cca5a538b

https://git.kernel.org/stable/c/6173cfea2f916e01c4f98e29cd654384a05e32a3

https://git.kernel.org/stable/c/ff287df16a1a58aca78b08d1f3ee09fc44da0351

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/amd/display/dc/bios/bios_parser.c","drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c","drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c","lessThan":"6173cfea2f916e01c4f98e29cd654384a05e32a3","versionType":"git","status":"affected"},{"version":"4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c","lessThan":"0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1","versionType":"git","status":"affected"},{"version":"4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c","lessThan":"2645e3caf7e013189da9c6ff621d006cca5a538b","versionType":"git","status":"affected"},{"version":"4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c","lessThan":"ff287df16a1a58aca78b08d1f3ee09fc44da0351","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/amd/display/dc/bios/bios_parser.c","drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c","drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]