On Wed, Feb 04, 2026 at 02:56:38PM +0000, Alexander Konyukhov wrote: > Thank you for the replies. > > According to ISO 9899 6.3.1 both operands are first converted to a common > type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] > , so min_size can have an overflowed u32 value.
Brian has pointed out that just looking at the type of the result is not enough. Acked-by: Liviu Dudau <[email protected]> Will push this into drm-misc-next later today. Thanks for the fix! Best regards, Liviu > > -----Original Message----- > From: Liviu Dudau <[email protected]> > Sent: Wednesday, February 4, 2026 4:25 PM > To: Brian Starkey <[email protected]> > Cc: Alexander Konyukhov <[email protected]>; Maarten > Lankhorst <[email protected]>; Maxime Ripard > <[email protected]>; Thomas Zimmermann <[email protected]>; David Airlie > <[email protected]>; Simona Vetter <[email protected]>; > [email protected]; [email protected]; > [email protected]; [email protected] > Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer > size check > > Caution: This is an external email. > > > > On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote: > > Hi Alexander, > > > > On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote: > > > The AFBC framebuffer size validation calculates the minimum required > > > buffer size by adding the AFBC payload size to the framebuffer offset. > > > This addition is performed without checking for integer overflow. > > > > > > If the addition oveflows, the size check may incorrectly succed and > > > allow userspace to provide an undersized drm_gem_object, potentially > > > leading to out-of-bounds memory access. > > > > > > Add usage of check_add_overflow() to safely compute the minimum > > > required size and reject the framebuffer if an overflow is detected. > > > This makes the AFBC size validation more robust against malformed. > > > > > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > > > > > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda > > > driver") > > > Signed-off-by: Alexander Konyukhov > > > <[email protected]> > > > --- > > > drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++- > > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c > > > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c > > > index 3ca461eb0a24..3cb34d03f7f8 100644 > > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c > > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c > > > @@ -4,6 +4,8 @@ > > > * Author: James.Qian.Wang <[email protected]> > > > * > > > */ > > > +#include <linux/overflow.h> > > > + > > > #include <drm/drm_device.h> > > > #include <drm/drm_fb_dma_helper.h> > > > #include <drm/drm_gem.h> > > > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct > > > drm_file *file, > > > kfb->afbc_size = kfb->offset_payload + n_blocks * > > > ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8, > > > AFBC_SUPERBLK_ALIGNMENT); > > > - min_size = kfb->afbc_size + fb->offsets[0]; > > > > Can this really overflow? Is the concern a hypothetical ILP64 > > situation? > > > > min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned > > int. > > Yeah, I was thinking the same thing yesterday at the end of the work day when > I looked at the patch. I don't think following the call flow you can end up > with an overflow. > > Best regards, > Liviu > > > > > Thanks, > > -Brian > > > > > + if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) { > > > + goto check_failed; > > > + } > > > if (min_size > obj->size) { > > > DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. > > > min_size 0x%llx.\n", > > > obj->size, min_size); > > > -- > > > 2.43.0 > > >
