]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 16608e5)
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
authorIan Forbes <ian.forbes@broadcom.com>
Tue, 21 Oct 2025 19:01:28 +0000 (14:01 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 24 Nov 2025 09:35:54 +0000 (10:35 +0100)
[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ]

This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.

Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality")
Reported-by: Rohit Keshri <rkeshri@redhat.com>
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c patch | blob | blame | history

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 8b72848bb25cd9d8024b481b249b41df25ad0cf2..0c1bd3acf35988e3e2a4c8350afb3e64260c5251 100644 (file)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -3686,6 +3686,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv,
 
 
        cmd_id = header->id;
+       if (header->size > SVGA_CMD_MAX_DATASIZE) {
+               VMW_DEBUG_USER("SVGA3D command: %d is too big.\n",
+                              cmd_id + SVGA_3D_CMD_BASE);
+               return -E2BIG;
+       }
        *size = header->size + sizeof(SVGA3dCmdHeader);
 
        cmd_id -= SVGA_3D_CMD_BASE;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git