From: Dan Carpenter Date: Fri, 15 Nov 2024 14:50:08 +0000 (+0300) Subject: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() X-Git-Tag: block-6.14-20240131~40^2~1^2~2 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=3a47f4b439beb98e955d501c609dfd12b7836d61;p=linux-block.git drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32 values that come from the user via the submit_lookup_cmds() function. This addition could lead to an integer wrapping bug so use size_add() to prevent that. Fixes: 198725337ef1 ("drm/msm: fix cmdstream size check") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Patchwork: https://patchwork.freedesktop.org/patch/624696/ Signed-off-by: Rob Clark --- diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index fba78193127d..f775638d239a 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -787,8 +787,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; if (!submit->cmd[i].size || - ((submit->cmd[i].size + submit->cmd[i].offset) > - obj->size / 4)) { + (size_add(submit->cmd[i].size, submit->cmd[i].offset) > obj->size / 4)) { SUBMIT_ERROR(submit, "invalid cmdstream size: %u\n", submit->cmd[i].size * 4); ret = -EINVAL; goto out;