summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Forbes <ian.forbes@broadcom.com>2025-10-21 14:01:28 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-12-03 12:45:18 +0100
commite58559845021c3bad5e094219378b869157fad53 (patch)
treed261bb602c1bfb16babbcd3d5c6e8e1ed8059c50
parent335c071417ccb89f40fc8c33d7097b6e43a4f02c (diff)
downloadlinux-e58559845021c3bad5e094219378b869157fad53.tar.gz
linux-e58559845021c3bad5e094219378b869157fad53.zip
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") Reported-by: Rohit Keshri <rkeshri@redhat.com> Signed-off-by: Ian Forbes <ian.forbes@broadcom.com> Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com> Signed-off-by: Zack Rusin <zack.rusin@broadcom.com> Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 0d29fe6f6035..d31e9d380967 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -3216,6 +3216,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv,
cmd_id = header->id;
+ if (header->size > SVGA_CMD_MAX_DATASIZE) {
+ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n",
+ cmd_id + SVGA_3D_CMD_BASE);
+ return -E2BIG;
+ }
*size = header->size + sizeof(SVGA3dCmdHeader);
cmd_id -= SVGA_3D_CMD_BASE;