From: Boyuan Zhang <[email protected]> Fix a security vulnerability where malicious VCE command streams with oversized dimensions (e.g. 65536×65536) cause 32-bit integer overflow, wrapping the calculated buffer size to 0. This bypasses validation and allows GPU firmware to perform out-of-bound memory access.
The fix uses 64-bit arithmetic to detect overflow and rejects invalid dimensions before they reach the hardware. V2: remove redundant check Signed-off-by: Boyuan Zhang <[email protected]> --- drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c index efdebd9c0a1f..af18b51d4cba 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c @@ -877,9 +877,21 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, goto out; } - *size = amdgpu_ib_get_value(ib, idx + 8) * - amdgpu_ib_get_value(ib, idx + 10) * - 8 * 3 / 2; + uint32_t width = amdgpu_ib_get_value(ib, idx + 8); + uint32_t height = amdgpu_ib_get_value(ib, idx + 10); + uint64_t size64; + + if (width == 0 || height == 0 || + width > 4096 || height > 4096) { + DRM_ERROR("invalid VCE image size: %ux%u\n", + width, height); + r = -EINVAL; + goto out; + } + + size64 = (uint64_t)width * (uint64_t)height * 12ULL; + *size = (uint32_t)size64; + break; case 0x04000001: /* config extension */ -- 2.43.0
