]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
drm/amdgpu/vce: fix integer overflow in image size
authorBoyuan Zhang <boyuan.zhang@amd.com>
Mon, 25 May 2026 15:34:27 +0000 (11:34 -0400)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 1 Jul 2026 16:58:30 +0000 (12:58 -0400)
Fix a security vulnerability where malicious VCE command streams
with oversized dimensions (e.g. 65536×65536) cause 32-bit integer
overflow, wrapping the calculated buffer size to 0. This bypasses
validation and allows GPU firmware to perform out-of-bound memory
access.

The fix uses 64-bit arithmetic to detect overflow and rejects
invalid dimensions before they reach the hardware.

V2: remove redundant check
V3: modify max height value
V4: remove size64

Signed-off-by: Boyuan Zhang <boyuan.zhang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cbe408dba581755ad1279a487ec786d8927d778d)
Cc: stable@vger.kernel.org
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c

index efdebd9c0a1f3c5637fa423ddcf83a7806bcaed8..eef3c9853a5c51538210e89f6f3b1488588be143 100644 (file)
@@ -877,9 +877,20 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
                                goto out;
                        }
 
-                       *size = amdgpu_ib_get_value(ib, idx + 8) *
-                               amdgpu_ib_get_value(ib, idx + 10) *
-                               8 * 3 / 2;
+                       uint32_t width, height;
+                       width = amdgpu_ib_get_value(ib, idx + 8);
+                       height = amdgpu_ib_get_value(ib, idx + 10);
+
+                       if (width == 0 || height == 0 ||
+                           width > 4096 || height > 2304) {
+                               DRM_ERROR("invalid VCE image size: %ux%u\n",
+                                         width, height);
+                               r = -EINVAL;
+                               goto out;
+                       }
+
+                       *size = width * height * 8 * 3 / 2;
+
                        break;
 
                case 0x04000001: /* config extension */