The i915_l3_write() function failed to validate that the write count did not exceed the remaining buffer size after the starting offset. This allows userspace to trigger a heap buffer overflow.
Clamp the write count to the remaining size of the L3 log buffer to ensure memory safety. Signed-off-by: Kaushlendra Kumar <[email protected]> --- drivers/gpu/drm/i915/i915_sysfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/i915/i915_sysfs.c b/drivers/gpu/drm/i915/i915_sysfs.c index 70e0d8615160..3c592111d0cc 100644 --- a/drivers/gpu/drm/i915/i915_sysfs.c +++ b/drivers/gpu/drm/i915/i915_sysfs.c @@ -121,6 +121,7 @@ i915_l3_write(struct file *filp, struct kobject *kobj, } count = round_down(count, sizeof(u32)); + count = min_t(size_t, GEN7_L3LOG_SIZE - offset, count); memcpy(remap_info + offset / sizeof(u32), buf, count); /* NB: We defer the remapping until we switch to the context */ -- 2.34.1
