AMD General Looks good to me: Reviewed-by: Leo Liu <[email protected]>
> -----Original Message----- > From: Zhang, Boyuan <[email protected]> > Sent: May 19, 2026 1:22 PM > To: [email protected] > Cc: Deucher, Alexander <[email protected]>; Liu, Leo > <[email protected]>; Zhang, Boyuan <[email protected]> > Subject: [PATCH] drm/amdgpu/vcn4: Fix TOCTOU and overflow in ib parsing > > From: Boyuan Zhang <[email protected]> > > Fix security vulnerabilities in VCN 4 encoder IB parameter parsing. > > With userptr-backed IBs, userspace can race and modify the length field > between validation and use, causing an infinite loop (i += 0) that hangs > the kernel with VCN lock held, resulting in GPU-wide DoS. > > Additional issues: out-of-bounds access when i reaches length_dw-1 but > code reads ib[i+1], and missing validation of the start parameter. > > Fix by validating start, using i+2 <= length_dw loop condition, reading > length once to prevent TOCTOU, and adding comprehensive bounds > checking. > > Signed-off-by: Boyuan Zhang <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c > b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c > index ff7269bafae8..f27f6cf5749a 100644 > --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c > @@ -1932,9 +1932,19 @@ static int vcn_v4_0_enc_find_ib_param(struct > amdgpu_ib *ib, uint32_t id, int sta > int i; > uint32_t len; > > - for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) { > + if (start < 0 || start >= ib->length_dw) > + return -1; > + > + for (i = start; i + 2 <= ib->length_dw; ) { > + len = amdgpu_ib_get_value(ib, i); > + > + if (len < 8 || (len & 3) || i + len / 4 > ib->length_dw) > + break; > + > if (amdgpu_ib_get_value(ib, i + 1) == id) > return i; > + > + i += len / 4; > } > return -1; > } > -- > 2.43.0
