drm/v3d: Prevent out of bounds access in performance query extensions

Check that the number of perfmons userspace is passing in the copy and reset extensions is not greater than the internal kernel storage where the ids will be copied into. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com> Fixes: bae7cb5d68 ("drm/v3d: Create a CPU job extension for the reset performance query job") Cc: Maíra Canal <mcanal@igalia.com> Cc: Iago Toral Quiroga <itoral@igalia.com> Cc: stable@vger.kernel.org # v6.8+ Reviewed-by: Iago Toral Quiroga <itoral@igalia.com> Reviewed-by: Maíra Canal <mcanal@igalia.com> Signed-off-by: Maíra Canal <mcanal@igalia.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-2-tursulin@igalia.com
2026-04-18 03:23:53 -04:00 · 2024-07-11 14:53:30 +01:00
parent 6f1cacf4eb
commit f32b5128d2
1 changed files with 6 additions and 0 deletions
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,9 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
 	if (copy_from_user(&reset, ext, sizeof(reset)))
 		return -EFAULT;

+	if (reset.nperfmons > V3D_MAX_PERFMONS)
+		return -EINVAL;
+
 	job->job_type = V3D_CPU_JOB_TYPE_RESET_PERFORMANCE_QUERY;

 	job->performance_query.queries = kvmalloc_array(reset.count,
@@ -708,6 +711,9 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
 	if (copy.pad)
 		return -EINVAL;

+	if (copy.nperfmons > V3D_MAX_PERFMONS)
+		return -EINVAL;
+
 	job->job_type = V3D_CPU_JOB_TYPE_COPY_PERFORMANCE_QUERY;

 	job->performance_query.queries = kvmalloc_array(copy.count,