On 2026-05-26 12:32, [email protected] wrote:
> From: Boyuan Zhang <[email protected]>
>
> Fix a security vulnerability where malicious VCE command streams
> with oversized dimensions (e.g. 65536×65536) cause 32-bit integer
> overflow, wrapping the calculated buffer size to 0. This bypasses
> validation and allows GPU firmware to perform out-of-bound memory
> access.
>
> The fix uses 64-bit arithmetic to detect overflow and rejects
> invalid dimensions before they reach the hardware.
> V2: remove redundant check
> V3: modify max height value
>
> Signed-off-by: Boyuan Zhang <[email protected]>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 18 +++++++++++++++---
> 1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> index efdebd9c0a1f..bf7184dc7c7c 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> @@ -877,9 +877,21 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
> goto out;
> }
>
> - *size = amdgpu_ib_get_value(ib, idx + 8) *
> - amdgpu_ib_get_value(ib, idx + 10) *
> - 8 * 3 / 2;
> + uint32_t width = amdgpu_ib_get_value(ib, idx + 8);
> + uint32_t height = amdgpu_ib_get_value(ib, idx + 10);
> + uint64_t size64;
> +
> + if (width == 0 || height == 0 ||
> + width > 4096 || height > 2304) {
> + DRM_ERROR("invalid VCE image size: %ux%u\n",
> + width, height);
> + r = -EINVAL;
> + goto out;
> + }
> +
> + size64 = (uint64_t)width * (uint64_t)height * 12ULL;
There is no need for size64 since width * height * 12 is now guaranteed to
never overflow.
> + *size = (uint32_t)size64;
> +
> break;
>
> case 0x04000001: /* config extension */
