| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ct5tkr764socel5o4gtd4k2fgofqiljy3yzdjokij3jjkcf2ks@c3p7fs33znoe>
Date: Tue, 3 Feb 2026 21:43:12 +0000
From: Brian Starkey <brian.starkey@....com>
To: Alexander Konyukhov <Alexander.Konyukhov@...persky.com>
Cc: Liviu Dudau <liviu.dudau@....com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>, dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org, nd@....com
Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer
size check
Hi Alexander,
On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> The AFBC framebuffer size validation calculates the minimum required
> buffer size by adding the AFBC payload size to the framebuffer offset.
> This addition is performed without checking for integer overflow.
>
> If the addition oveflows, the size check may incorrectly succed and
> allow userspace to provide an undersized drm_gem_object, potentially
> leading to out-of-bounds memory access.
>
> Add usage of check_add_overflow() to safely compute the minimum
> required size and reject the framebuffer if an overflow is detected.
> This makes the AFBC size validation more robust against malformed.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
> Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@...persky.com>
> ---
> drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> index 3ca461eb0a24..3cb34d03f7f8 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> @@ -4,6 +4,8 @@
> * Author: James.Qian.Wang <james.qian.wang@....com>
> *
> */
> +#include <linux/overflow.h>
> +
> #include <drm/drm_device.h>
> #include <drm/drm_fb_dma_helper.h>
> #include <drm/drm_gem.h>
> @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> kfb->afbc_size = kfb->offset_payload + n_blocks *
> ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> AFBC_SUPERBLK_ALIGNMENT);
> - min_size = kfb->afbc_size + fb->offsets[0];
Can this really overflow? Is the concern a hypothetical ILP64
situation?
min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned
int.
Thanks,
-Brian
> + if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> + goto check_failed;
> + }
> if (min_size > obj->size) {
> DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> obj->size, min_size);
> --
> 2.43.0
>
Powered by blists - more mailing lists