Commit 32b415a9 authored by Ian Forbes's avatar Ian Forbes Committed by Zack Rusin
Browse files

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE 



This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.

Fixes: 8ce75f8a ("drm/vmwgfx: Update device includes for DX device functionality")
Reported-by: default avatarRohit Keshri <rkeshri@redhat.com>
Signed-off-by: default avatarIan Forbes <ian.forbes@broadcom.com>
Reviewed-by: default avatarMaaz Mombasawala <maaz.mombasawala@broadcom.com>
Signed-off-by: default avatarZack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com
parent b750f5a9

drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c

+5 −0
Original line number Diff line number Diff line
@@ -3668,6 +3668,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, 




	cmd_id = header->id;

	if (header->size > SVGA_CMD_MAX_DATASIZE) {

		VMW_DEBUG_USER("SVGA3D command: %d is too big.\n",

			       cmd_id + SVGA_3D_CMD_BASE);

		return -E2BIG;

	}

	*size = header->size + sizeof(SVGA3dCmdHeader);



	cmd_id -= SVGA_3D_CMD_BASE;