On Wed, 28 Jan 2026, Kaushlendra Kumar <[email protected]> wrote: > The i915_l3_write() function failed to validate that the write > count did not exceed the remaining buffer size after the starting > offset. This allows userspace to trigger a heap buffer overflow. > > Clamp the write count to the remaining size of the L3 log buffer > to ensure memory safety. > > Signed-off-by: Kaushlendra Kumar <[email protected]> > --- > drivers/gpu/drm/i915/i915_sysfs.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/i915/i915_sysfs.c > b/drivers/gpu/drm/i915/i915_sysfs.c > index 70e0d8615160..3c592111d0cc 100644 > --- a/drivers/gpu/drm/i915/i915_sysfs.c > +++ b/drivers/gpu/drm/i915/i915_sysfs.c > @@ -121,6 +121,7 @@ i915_l3_write(struct file *filp, struct kobject *kobj, > } > > count = round_down(count, sizeof(u32)); > + count = min_t(size_t, GEN7_L3LOG_SIZE - offset, count);
This may make count not be a multiple of sizeof(u32) again. Note how offset is treated below. BR, Jani. > memcpy(remap_info + offset / sizeof(u32), buf, count); > > /* NB: We defer the remapping until we switch to the context */ -- Jani Nikula, Intel
