drm/amdgpu/vcn4: Avoid overflow on msg bound check

commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.

As pointed out by SDL, the previous condition may be vulnerable to
overflow.

Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 5dec92691f73eeefaf3e5b75b805cf995129c882..63d37b475c2c33865bedbcba96dd3c4530228668 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
        for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
                uint32_t offset, size, *create;
+               uint64_t buf_end;
 
                if (msg[0] != RDECODE_MESSAGE_CREATE)
                        continue;
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
                offset = msg[1];
                size = msg[2];
 
-               if (size < 4 || offset + size > end - addr) {
+               if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+                   buf_end > end - addr) {
                        DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
                        r = -EINVAL;
                        goto out;