On Thu, May 28, 2026 at 11:54 AM <[email protected]> wrote: > > From: Boyuan Zhang <[email protected]> > > Fix a security vulnerability where malicious VCE command streams > with oversized dimensions (e.g. 65536×65536) cause 32-bit integer > overflow, wrapping the calculated buffer size to 0. This bypasses > validation and allows GPU firmware to perform out-of-bound memory > access. > > The fix uses 64-bit arithmetic to detect overflow and rejects > invalid dimensions before they reach the hardware. > > V2: remove redundant check > V3: modify max height value > V4: remove size64 > > Signed-off-by: Boyuan Zhang <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c > index efdebd9c0a1f..d2f1a9a1d338 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c > @@ -877,9 +877,19 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, > goto out; > } > > - *size = amdgpu_ib_get_value(ib, idx + 8) * > - amdgpu_ib_get_value(ib, idx + 10) * > - 8 * 3 / 2; > + uint32_t width = amdgpu_ib_get_value(ib, idx + 8); > + uint32_t height = amdgpu_ib_get_value(ib, idx + 10);
Mixed declarations and code; older compilers will complain about this. With that fixed: Reviewed-by: Alex Deucher <[email protected]> > + > + if (width == 0 || height == 0 || > + width > 4096 || height > 2304) { > + DRM_ERROR("invalid VCE image size: %ux%u\n", > + width, height); > + r = -EINVAL; > + goto out; > + } > + > + *size = width * height * 8 * 3 / 2; > + > break; > > case 0x04000001: /* config extension */ > -- > 2.43.0 >
