AMD General Reviewed-by: Yang Wang <[email protected]>
Best Regards, Kevin > -----Original Message----- > From: Kamal, Asad <[email protected]> > Sent: Friday, May 29, 2026 14:20 > To: [email protected] > Cc: Lazar, Lijo <[email protected]>; Zhang, Hawking > <[email protected]>; Ma, Le <[email protected]>; Zhang, Morris > <[email protected]>; Deucher, Alexander <[email protected]>; > Wang, Yang(Kevin) <[email protected]>; Kamal, Asad > <[email protected]> > Subject: [PATCH] drm/amd/pm: bound pp_dpm_set_pp_table() memcpy > > The powerplay path allocates hardcode_pp_table once with kmemdup(..., > soft_pp_table_size). memcpy(..., size) used the sysfs store count (up to > PAGE_SIZE) with no upper bound, causing heap overflow. Reject writes where > size > exceeds soft_pp_table_size. > > Signed-off-by: Asad Kamal <[email protected]> > --- > drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c > b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c > index 3ee910503775..35974fd02b27 100644 > --- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c > +++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c > @@ -665,6 +665,9 @@ static int pp_dpm_set_pp_table(void *handle, const char > *buf, size_t size) > if (!hwmgr || !hwmgr->pm_en) > return -EINVAL; > > + if (size > hwmgr->soft_pp_table_size) > + return -EINVAL; > + > if (!hwmgr->hardcode_pp_table) { > hwmgr->hardcode_pp_table = kmemdup(hwmgr->soft_pp_table, > hwmgr->soft_pp_table_size, > -- > 2.46.0
