lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aYNgQ5h7TuFuZs3t@e142607>
Date: Wed, 4 Feb 2026 15:05:39 +0000
From: Liviu Dudau <liviu.dudau@....com>
To: Alexander Konyukhov <Alexander.Konyukhov@...persky.com>
Cc: Brian Starkey <brian.starkey@....com>,
	Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
	Maxime Ripard <mripard@...nel.org>,
	Thomas Zimmermann <tzimmermann@...e.de>,
	David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
	"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"lvc-project@...uxtesting.org" <lvc-project@...uxtesting.org>,
	"nd@....com" <nd@....com>
Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer
 size check

On Wed, Feb 04, 2026 at 02:56:38PM +0000, Alexander Konyukhov wrote:
> Thank you for the replies.
> 
> According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.

Yes, but according to the komeda_framebuffer.c file, line 48, the min_size is an u64 variable, so it can hold the result of adding two u32 values safely.

Best regards,
Liviu

> 
> -----Original Message-----
> From: Liviu Dudau <liviu.dudau@....com> 
> Sent: Wednesday, February 4, 2026 4:25 PM
> To: Brian Starkey <brian.starkey@....com>
> Cc: Alexander Konyukhov <Alexander.Konyukhov@...persky.com>; Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>; Maxime Ripard <mripard@...nel.org>; Thomas Zimmermann <tzimmermann@...e.de>; David Airlie <airlied@...il.com>; Simona Vetter <simona@...ll.ch>; dri-devel@...ts.freedesktop.org; linux-kernel@...r.kernel.org; lvc-project@...uxtesting.org; nd@....com
> Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
> 
> Caution: This is an external email.
> 
> 
> 
> On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> > Hi Alexander,
> >
> > On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > > The AFBC framebuffer size validation calculates the minimum required 
> > > buffer size by adding the AFBC payload size to the framebuffer offset.
> > > This addition is performed without checking for integer overflow.
> > >
> > > If the addition oveflows, the size check may incorrectly succed and 
> > > allow userspace to provide an undersized drm_gem_object, potentially 
> > > leading to out-of-bounds memory access.
> > >
> > > Add usage of check_add_overflow() to safely compute the minimum 
> > > required size and reject the framebuffer if an overflow is detected.
> > > This makes the AFBC size validation more robust against malformed.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda 
> > > driver")
> > > Signed-off-by: Alexander Konyukhov 
> > > <Alexander.Konyukhov@...persky.com>
> > > ---
> > >  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c 
> > > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > index 3ca461eb0a24..3cb34d03f7f8 100644
> > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > @@ -4,6 +4,8 @@
> > >   * Author: James.Qian.Wang <james.qian.wang@....com>
> > >   *
> > >   */
> > > +#include <linux/overflow.h>
> > > +
> > >  #include <drm/drm_device.h>
> > >  #include <drm/drm_fb_dma_helper.h>
> > >  #include <drm/drm_gem.h>
> > > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> > >     kfb->afbc_size = kfb->offset_payload + n_blocks *
> > >                      ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> > >                            AFBC_SUPERBLK_ALIGNMENT);
> > > -   min_size = kfb->afbc_size + fb->offsets[0];
> >
> > Can this really overflow? Is the concern a hypothetical ILP64 
> > situation?
> >
> > min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned 
> > int.
> 
> Yeah, I was thinking the same thing yesterday at the end of the work day when I looked at the patch. I don't think following the call flow you can end up with an overflow.
> 
> Best regards,
> Liviu
> 
> >
> > Thanks,
> > -Brian
> >
> > > +   if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > > +           goto check_failed;
> > > +   }
> > >     if (min_size > obj->size) {
> > >             DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> > >                           obj->size, min_size);
> > > --
> > > 2.43.0
> > >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ