| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251127130500.84415-1-madhurkumar004@gmail.com> Date: Thu, 27 Nov 2025 18:35:00 +0530 From: Madhur Kumar <madhurkumar004@...il.com> To: syzbot+95416f957d84e858b377@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org Cc: Madhur Kumar <madhurkumar004@...il.com> Subject: [PATCH] drm/syncobj: Prevent overflow and large kmalloc in array_find() #syz test Signed-off-by: Madhur Kumar <madhurkumar004@...il.com> --- drivers/gpu/drm/drm_syncobj.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index e1b0fa4000cd..f322b38ec251 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *file_private, uint32_t i, *handles; struct drm_syncobj **syncobjs; int ret; + size_t size; + + if (check_mul_overflow(count_handles, sizeof(*handles), &size)) + return -EOVERFLOW; + + if (size > KMALLOC_MAX_SIZE) + return -ERANGE; handles = kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL); if (handles == NULL) -- 2.52.0
Powered by blists - more mailing lists