<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Перенаправленное сообщение --------
<table cellpadding="0" cellspacing="0" border="0"
class="moz-email-headers-table">
<tbody>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Тема: </th>
<td>[PATCH 2/2] drm/amdgpu/vcn4: Avoid overflow on msg bound
check</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Дата: </th>
<td>Mon, 13 Apr 2026 10:20:37 -0400</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">От: </th>
<td>Benjamin Cheng <a class="moz-txt-link-rfc2396E" href="mailto:benjamin.cheng@amd.com"><benjamin.cheng@amd.com></a></td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Кому: </th>
<td>Alex Deucher <a class="moz-txt-link-rfc2396E" href="mailto:alexander.deucher@amd.com"><alexander.deucher@amd.com></a>,
Christian König <a class="moz-txt-link-rfc2396E" href="mailto:christian.koenig@amd.com"><christian.koenig@amd.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:amd-gfx@lists.freedesktop.org">amd-gfx@lists.freedesktop.org</a></td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Копия: </th>
<td>David (Ming Qiang) Wu <a class="moz-txt-link-rfc2396E" href="mailto:David.Wu3@amd.com"><David.Wu3@amd.com></a>, Ruijing
Dong <a class="moz-txt-link-rfc2396E" href="mailto:ruijing.dong@amd.com"><ruijing.dong@amd.com></a>, Leo Liu
<a class="moz-txt-link-rfc2396E" href="mailto:leo.liu@amd.com"><leo.liu@amd.com></a>, Benjamin Cheng
<a class="moz-txt-link-rfc2396E" href="mailto:benjamin.cheng@amd.com"><benjamin.cheng@amd.com></a>, SDL <a class="moz-txt-link-rfc2396E" href="mailto:sdl@nppct.ru"><sdl@nppct.ru></a></td>
</tr>
</tbody>
</table>
<br>
<br>
As pointed out by SDL, the previous condition may be vulnerable to<br>
overflow.<br>
<br>
Fixes: f405753b0751 ("drm/amdgpu/vcn4: Prevent OOB reads when
parsing dec msg")<br>
Cc: SDL <a class="moz-txt-link-rfc2396E" href="mailto:sdl@nppct.ru"><sdl@nppct.ru></a><br>
Signed-off-by: Benjamin Cheng <a class="moz-txt-link-rfc2396E" href="mailto:benjamin.cheng@amd.com"><benjamin.cheng@amd.com></a><br>
---<br>
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++-<br>
1 file changed, 3 insertions(+), 1 deletion(-)<br>
<br>
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c<br>
index 5dec92691f73..63d37b475c2c 100644<br>
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c<br>
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c<br>
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct
amdgpu_cs_parser *p, struct amdgpu_job *job,<br>
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4)
{<br>
uint32_t offset, size, *create;<br>
+ uint64_t buf_end;<br>
if (msg[0] != RDECODE_MESSAGE_CREATE)<br>
continue;<br>
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct
amdgpu_cs_parser *p, struct amdgpu_job *job,<br>
offset = msg[1];<br>
size = msg[2];<br>
- if (size < 4 || offset + size > end - addr) {<br>
+ if (size < 4 || check_add_overflow(offset, size,
&buf_end) ||<br>
+ buf_end > end - addr) {<br>
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");<br>
r = -EINVAL;<br>
goto out;<br>
<pre class="moz-signature">--
2.53.0
</pre>
</div>
</body>
</html>