lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251127173534.236250-1-madhurkumar004@gmail.com>
Date: Thu, 27 Nov 2025 23:05:34 +0530
From: Madhur Kumar <madhurkumar004@...il.com>
To: maarten.lankhorst@...ux.intel.com,
	mripard@...nel.org,
	tzimmermann@...e.de,
	airlied@...il.com,
	simona@...ll.ch
Cc: dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	syzbot+95416f957d84e858b377@...kaller.appspotmail.com,
	Madhur Kumar <madhurkumar004@...il.com>
Subject: [PATCH] drm/syncobj: Validate count_handles to prevent large allocations in array_find()

The DRM_IOCTL_SYNCOBJ_WAIT ioctl reads `count_handles` from userspace and
uses it directly when allocating memory in array_find(). and
kmalloc_array() allows userspace to request very large allocations,
which syzkaller was able to trigger.

Such unbounded values can lead to excessive memory requests, allocation
failures, warnings, or resource exhaustion paths. Add explicit bounds
validation to prevent excessively large allocations coming from
userspace-provided values.

Reported-by: syzbot+95416f957d84e858b377@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=95416f957d84e858b377
Fixes: 3e6fb72d6cef6 ("drm/syncobj: Add a syncobj_array_find helper")
Tested-by: syzbot+95416f957d84e858b377@...kaller.appspotmail.com
Signed-off-by: Madhur Kumar <madhurkumar004@...il.com>
---
 drivers/gpu/drm/drm_syncobj.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index e1b0fa4000cd..f322b38ec251 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *file_private,
 	uint32_t i, *handles;
 	struct drm_syncobj **syncobjs;
 	int ret;
+	size_t size;
+
+	if (check_mul_overflow(count_handles, sizeof(*handles), &size))
+		return -EOVERFLOW;
+
+	if (size > KMALLOC_MAX_SIZE)
+		return -ERANGE;
 
 	handles = kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL);
 	if (handles == NULL)
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ