From: Boyuan Zhang <[email protected]> Fix security vulnerabilities in VCN 4 encoder IB parameter parsing.
With userptr-backed IBs, userspace can race and modify the length field between validation and use, causing an infinite loop (i += 0) that hangs the kernel with VCN lock held, resulting in GPU-wide DoS. Additional issues: out-of-bounds access when i reaches length_dw-1 but code reads ib[i+1], and missing validation of the start parameter. Fix by validating start, using i+2 <= length_dw loop condition, reading length once to prevent TOCTOU, and adding comprehensive bounds checking. Signed-off-by: Boyuan Zhang <[email protected]> --- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c index ff7269bafae8..f27f6cf5749a 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c @@ -1932,9 +1932,19 @@ static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int sta int i; uint32_t len; - for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) { + if (start < 0 || start >= ib->length_dw) + return -1; + + for (i = start; i + 2 <= ib->length_dw; ) { + len = amdgpu_ib_get_value(ib, i); + + if (len < 8 || (len & 3) || i + len / 4 > ib->length_dw) + break; + if (amdgpu_ib_get_value(ib, i + 1) == id) return i; + + i += len / 4; } return -1; } -- 2.43.0
