drm/amdgpu: add upper bound check on user inputs in signal ioctl

Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and
could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.

Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index b215015a165cf89554ffb8135ef9309a98123d81..10669a249b9f5e7a80e3f3f3c71d2fe0e5acffc4 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -35,6 +35,8 @@
 static const struct dma_fence_ops amdgpu_userq_fence_ops;
 static struct kmem_cache *amdgpu_userq_fence_slab;
 
+#define AMDGPU_USERQ_MAX_HANDLES       (1U << 16)
+
 int amdgpu_userq_fence_slab_init(void)
 {
        amdgpu_userq_fence_slab = kmem_cache_create("amdgpu_userq_fence",
@@ -477,6 +479,11 @@ int amdgpu_userq_signal_ioctl(struct drm_device *dev, void *data,
        if (!amdgpu_userq_enabled(dev))
                return -ENOTSUPP;
 
+       if (args->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+           args->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+           args->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+               return -EINVAL;
+
        num_syncobj_handles = args->num_syncobj_handles;
        syncobj_handles = memdup_array_user(u64_to_user_ptr(args->syncobj_handles),
                                            num_syncobj_handles, sizeof(u32));