lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20260207232559.4037731-1-n7l8m4@u.northwestern.edu>
Date: Sat,  7 Feb 2026 23:25:59 +0000
From: Ziyi Guo <n7l8m4@...orthwestern.edu>
To: Lucas De Marchi <lucas.demarchi@...el.com>,
	Thomas Hellström <thomas.hellstrom@...ux.intel.com>,
	Rodrigo Vivi <rodrigo.vivi@...el.com>
Cc: David Airlie <airlied@...il.com>,
	Simona Vetter <simona@...ll.ch>,
	intel-xe@...ts.freedesktop.org,
	dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	Ziyi Guo <n7l8m4@...orthwestern.edu>
Subject: [PATCH] drm/xe/sriov: add size validation in packet init

pkt_init() passes data->hdr.size directly to kvzalloc() without any
upper bound check. The size field is a u64 sourced from userspace via
copy_from_user() in pkt_hdr_write(), and the only validation performed
by xe_sriov_packet_init_from_hdr() is a version check.

When a VFIO migration manager or debugfs writer supplies a packet header
with size > INT_MAX, kvzalloc() reaches the size WARNING
in __kvmalloc_node_noprof() which triggers:

  WARN_ON_ONCE(!(flags & __GFP_NOWARN))

This fires a kernel WARNING, taints the kernel with TAINT_WARN, and
causes a panic on CONFIG_PANIC_ON_WARN=y systems.

Add a size bounds check in pkt_init() before the kvzalloc() call to
reject oversized packets early with -EINVAL.

Signed-off-by: Ziyi Guo <n7l8m4@...orthwestern.edu>
---
 drivers/gpu/drm/xe/xe_sriov_packet.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/xe/xe_sriov_packet.c b/drivers/gpu/drm/xe/xe_sriov_packet.c
index bab994696896..04483eeba11b 100644
--- a/drivers/gpu/drm/xe/xe_sriov_packet.c
+++ b/drivers/gpu/drm/xe/xe_sriov_packet.c
@@ -127,6 +127,9 @@ static int pkt_init(struct xe_sriov_packet *data)
 	if (data->hdr.size == 0)
 		return 0;
 
+	if (data->hdr.size > INT_MAX)
+		return -EINVAL;
+
 	if (pkt_needs_bo(data)) {
 		struct xe_bo *bo;
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ