[lvc-project] Fwd: [PATCH 1/2] drm/amdgpu/vcn3: Avoid overflow on msg bound check

Mon Apr 13 18:31:22 MSK 2026

-------- Перенаправленное сообщение --------
Тема: 	[PATCH 1/2] drm/amdgpu/vcn3: Avoid overflow on msg bound check
Дата: 	Mon, 13 Apr 2026 10:20:36 -0400
От: 	Benjamin Cheng <benjamin.cheng at amd.com>
Кому: 	Alex Deucher <alexander.deucher at amd.com>, Christian König 
<christian.koenig at amd.com>, amd-gfx at lists.freedesktop.org
Копия: 	David (Ming Qiang) Wu <David.Wu3 at amd.com>, Ruijing Dong 
<ruijing.dong at amd.com>, Leo Liu <leo.liu at amd.com>, Benjamin Cheng 
<benjamin.cheng at amd.com>, SDL <sdl at nppct.ru>



As pointed out by SDL, the previous condition may be vulnerable to
overflow.

Fixes: fbc309508fae ("drm/amdgpu/vcn3: Prevent OOB reads when parsing 
dec msg")
Cc: SDL <sdl at nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng at amd.com>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c 
b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
index 6fb4fcdbba4f..2fe5b3fe287f 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1972,6 +1972,7 @@ static int vcn_v3_0_dec_msg(struct 
amdgpu_cs_parser *p, struct amdgpu_job *job,
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
+ uint64_t buf_end;
if (msg[0] != RDECODE_MESSAGE_CREATE)
continue;
@@ -1979,7 +1980,8 @@ static int vcn_v3_0_dec_msg(struct 
amdgpu_cs_parser *p, struct amdgpu_job *job,
offset = msg[1];
size = msg[2];
- if (size < 4 || offset + size > end - addr) {
+ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+ buf_end > end - addr) {
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;

-- 
2.53.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxtesting.org/pipermail/lvc-project/attachments/20260413/7b8f7172/attachment.html>
