[lvc-project] [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Alexander Konyukhov
Alexander.Konyukhov at kaspersky.com
Wed Feb 4 17:56:38 MSK 2026
Thank you for the replies.
According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.
-----Original Message-----
From: Liviu Dudau <liviu.dudau at arm.com>
Sent: Wednesday, February 4, 2026 4:25 PM
To: Brian Starkey <brian.starkey at arm.com>
Cc: Alexander Konyukhov <Alexander.Konyukhov at kaspersky.com>; Maarten Lankhorst <maarten.lankhorst at linux.intel.com>; Maxime Ripard <mripard at kernel.org>; Thomas Zimmermann <tzimmermann at suse.de>; David Airlie <airlied at gmail.com>; Simona Vetter <simona at ffwll.ch>; dri-devel at lists.freedesktop.org; linux-kernel at vger.kernel.org; lvc-project at linuxtesting.org; nd at arm.com
Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Caution: This is an external email.
On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> Hi Alexander,
>
> On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > The AFBC framebuffer size validation calculates the minimum required
> > buffer size by adding the AFBC payload size to the framebuffer offset.
> > This addition is performed without checking for integer overflow.
> >
> > If the addition oveflows, the size check may incorrectly succed and
> > allow userspace to provide an undersized drm_gem_object, potentially
> > leading to out-of-bounds memory access.
> >
> > Add usage of check_add_overflow() to safely compute the minimum
> > required size and reject the framebuffer if an overflow is detected.
> > This makes the AFBC size validation more robust against malformed.
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda
> > driver")
> > Signed-off-by: Alexander Konyukhov
> > <Alexander.Konyukhov at kaspersky.com>
> > ---
> > drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > index 3ca461eb0a24..3cb34d03f7f8 100644
> > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > @@ -4,6 +4,8 @@
> > * Author: James.Qian.Wang <james.qian.wang at arm.com>
> > *
> > */
> > +#include <linux/overflow.h>
> > +
> > #include <drm/drm_device.h>
> > #include <drm/drm_fb_dma_helper.h>
> > #include <drm/drm_gem.h>
> > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> > kfb->afbc_size = kfb->offset_payload + n_blocks *
> > ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> > AFBC_SUPERBLK_ALIGNMENT);
> > - min_size = kfb->afbc_size + fb->offsets[0];
>
> Can this really overflow? Is the concern a hypothetical ILP64
> situation?
>
> min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned
> int.
Yeah, I was thinking the same thing yesterday at the end of the work day when I looked at the patch. I don't think following the call flow you can end up with an overflow.
Best regards,
Liviu
>
> Thanks,
> -Brian
>
> > + if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > + goto check_failed;
> > + }
> > if (min_size > obj->size) {
> > DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> > obj->size, min_size);
> > --
> > 2.43.0
> >
More information about the lvc-project
mailing list