diff options
| author | Rajat Gupta <rajat.gupta@oss.qualcomm.com> | 2026-05-20 22:11:21 -0700 |
|---|---|---|
| committer | Thomas Zimmermann <tzimmermann@suse.de> | 2026-05-29 08:30:47 +0200 |
| commit | 5ab62dd3687bcc2cc542b99385aabac5c996db6f (patch) | |
| tree | eecadb300b76ea23b1b950f9fa216a721392987f /kernel | |
| parent | ead6680f354f83966c796fc7f9463a3171789616 (diff) | |
drm: prevent integer overflows in dumb buffer creation helpers
Fix integer overflow issues in the dumb buffer creation path:
1. drm_mode_create_dumb() does not bound width, height, or bpp
before passing them to driver callbacks. Downstream helpers
(e.g. drm_gem_dma_dumb_create_internal) perform pitch/size
alignment in u32 arithmetic that can overflow for extreme
values. Add hard limits: width and height < 8192, bpp <= 32.
No legitimate software rendering use case exceeds these.
2. drm_mode_align_dumb() uses roundup(pitch, hw_pitch_align)
without checking for overflow. If pitch is near U32_MAX,
roundup() wraps to a small value, making subsequent
check_mul_overflow() pass with a much smaller pitch than
intended. Add an overflow check after roundup.
3. drm_mode_align_dumb() uses ALIGN(size, hw_size_align) which
only works correctly for power-of-two alignment values.
Replace with roundup() which works for any alignment.
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions