drm/amd/pm: bound pp_dpm_set_pp_table() memcpy

The powerplay path allocates hardcode_pp_table once with kmemdup(...,
soft_pp_table_size). memcpy(..., size) used the sysfs store count (up to
PAGE_SIZE) with no upper bound, causing heap overflow. Reject
writes where size exceeds soft_pp_table_size.

Signed-off-by: Asad Kamal <asad.kamal@amd.com>
Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index 5700bcc7ad9ab2245dd1a22ad34d76055d291e03..6f5c27bdc1e91234fa915a591c480ac5311fb355 100644 (file)
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -665,6 +665,9 @@ static int pp_dpm_set_pp_table(void *handle, const char *buf, size_t size)
        if (!hwmgr || !hwmgr->pm_en)
                return -EINVAL;
 
+       if (size > hwmgr->soft_pp_table_size)
+               return -EINVAL;
+
        if (!hwmgr->hardcode_pp_table) {
                hwmgr->hardcode_pp_table = kmemdup(hwmgr->soft_pp_table,
                                                   hwmgr->soft_pp_table_size,