diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2025-05-23 19:05:58 +0300 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2025-06-03 15:06:35 -0400 |
| commit | 98a46a408998102af5c45adce0871acd7967bb59 (patch) | |
| tree | 6389cdbb587d724c8093867b9b9ed98fc3311788 /scripts/lib/kdoc/kdoc_parser.py | |
| parent | 5cccf10f652122a17b40df9d672ccf2ed69cd82f (diff) | |
drm/amdgpu: Fix integer overflow issues in amdgpu_userq_fence.c
This patch only affects 32bit systems. There are several integer
overflows bugs here but only the "sizeof(u32) * num_syncobj"
multiplication is a problem at runtime. (The last lines of this patch).
These variables are u32 variables that come from the user. The issue
is the multiplications can overflow leading to us allocating a smaller
buffer than intended. For the first couple integer overflows, the
syncobj_handles = memdup_user() allocation is immediately followed by
a kmalloc_array():
syncobj = kmalloc_array(num_syncobj_handles, sizeof(*syncobj), GFP_KERNEL);
In that situation the kmalloc_array() works as a bounds check and we
haven't accessed the syncobj_handlesp[] array yet so the integer overflow
is harmless.
But the "num_syncobj" multiplication doesn't have that and the integer
overflow could lead to an out of bounds access.
Fixes: a292fdecd728 ("drm/amdgpu: Implement userqueue signal/wait IOCTL")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat (limited to 'scripts/lib/kdoc/kdoc_parser.py')
0 files changed, 0 insertions, 0 deletions