drm/amdgpu: add upper bound check on user inputs in wait ioctl

Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and
could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.

v2: squash in Srini's fix

Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)
Cc: stable@vger.kernel.org

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index c5f5af20af756f89b8ba3ec4bfeab3b660712195..7e9cf1868cc9f2f651662966a54448e103b55ce4 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -671,6 +671,11 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data,
        if (!amdgpu_userq_enabled(dev))
                return -ENOTSUPP;
 
+       if (wait_info->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+           wait_info->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+           wait_info->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+               return -EINVAL;
+
        num_read_bo_handles = wait_info->num_bo_read_handles;
        bo_handles_read = memdup_user(u64_to_user_ptr(wait_info->bo_read_handles),
                                      size_mul(sizeof(u32), num_read_bo_handles));