[lvc-project] [PATCH v2 2/4] drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
SDL
sdl at nppct.ru
Thu Apr 9 21:09:11 MSK 2026
Hi, Benjamin,
I'm working on a related fix for 'vcn_v3_0_dec_msg()' that you might
want to be aware of. In you update bounds check:
if (size < 4 || offset + size > end - addr)
the 'offset' and 'size' fields in the VCN decode message buffer are
both u32 values sourced from userspace. The check performs 32-bit
arithmetic before comparison against the 64-bit 'end' value, allowing
a crafted message with offset=0xffffffff and size=1 to wrap around
to 0 and bypass the bounds check.
Fix this by cast 'offset' to u64 before the addition so the
comparison is done in 64-bit arithmetic.
Best regards,
Alexey Nepomnyashih
More information about the lvc-project
mailing list