tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/amdgpu/vcn3: Avoid overflow on msg bound check

As pointed out by SDL, the previous condition may be vulnerable to
overflow.

Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)

authored by

Benjamin Cheng and committed by
Alex Deucher e6e9faba 47a5dfc8

+3 -1
+3 -1
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
··· 1973 1973 1974 1974 for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { 1975 1975 uint32_t offset, size, *create; 1976 + uint64_t buf_end; 1976 1977 1977 1978 if (msg[0] != RDECODE_MESSAGE_CREATE) 1978 1979 continue; ··· 1981 1980 offset = msg[1]; 1982 1981 size = msg[2]; 1983 1982 1984 - if (size < 4 || offset + size > end - addr) { 1983 + if (size < 4 || check_add_overflow(offset, size, &buf_end) || 1984 + buf_end > end - addr) { 1985 1985 DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); 1986 1986 r = -EINVAL; 1987 1987 goto out;