lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aYXu5vG4UBu9Xyq2@stanley.mountain>
Date: Fri, 6 Feb 2026 16:38:46 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Jonathan Kim <jonathan.kim@....com>
Cc: amd-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
	"SHANMUGAM, SRINIVASAN" <SRINIVASAN.SHANMUGAM@....com>,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: [bug report] drm/amdkfd: add debug set and clear address watch
 points operation

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Jonathan Kim,

Commit e0f85f4690d0 ("drm/amdkfd: add debug set and clear address
watch points operation") from May 6, 2022 (linux-next), leads to the
following Smatch static checker warning:

	drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch()
	error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c
    433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,
    434                                         uint32_t watch_id)
    435 {
    436         int r;
    437 
    438         if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))

kfd_dbg_owns_dev_watch_id() doesn't check for negative values so
if watch_id is larger than INT_MAX it leads to a buffer overflow.
(Negative shifts are undefined).

    439                 return -EINVAL;
    440 
    441         if (!pdd->dev->kfd->shared_resources.enable_mes) {
    442                 r = debug_lock_and_unmap(pdd->dev->dqm);
    443                 if (r)
    444                         return r;
    445         }
    446 
    447         amdgpu_gfx_off_ctrl(pdd->dev->adev, false);
--> 448         pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch(
    449                                                         pdd->dev->adev,
    450                                                         watch_id);
    451         amdgpu_gfx_off_ctrl(pdd->dev->adev, true);
    452 
    453         if (!pdd->dev->kfd->shared_resources.enable_mes)
    454                 r = debug_map_and_unlock(pdd->dev->dqm);
    455         else
    456                 r = kfd_dbg_set_mes_debug_mode(pdd, true);
    457 
    458         kfd_dbg_clear_dev_watch_id(pdd, watch_id);
    459 
    460         return r;
    461 }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ