| Message ID | 20250311111501.9190-1-n.zhandarovich@fintech.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() | expand |
Applied. Thanks! Alex On Tue, Mar 11, 2025 at 7:23 AM Nikita Zhandarovich <n.zhandarovich@fintech.ru> wrote: > > On the off chance that command stream passed from userspace via > ioctl() call to radeon_vce_cs_parse() is weirdly crafted and > first command to execute is to encode (case 0x03000001), the function > in question will attempt to call radeon_vce_cs_reloc() with size > argument that has not been properly initialized. Specifically, 'size' > will point to 'tmp' variable before the latter had a chance to be > assigned any value. > > Play it safe and init 'tmp' with 0, thus ensuring that > radeon_vce_cs_reloc() will catch an early error in cases like these. > > Found by Linux Verification Center (linuxtesting.org) with static > analysis tool SVACE. > > Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3") > Cc: stable@vger.kernel.org > Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> > --- > drivers/gpu/drm/radeon/radeon_vce.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/radeon/radeon_vce.c b/drivers/gpu/drm/radeon/radeon_vce.c > index d1871af967d4..2355a78e1b69 100644 > --- a/drivers/gpu/drm/radeon/radeon_vce.c > +++ b/drivers/gpu/drm/radeon/radeon_vce.c > @@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p) > { > int session_idx = -1; > bool destroyed = false, created = false, allocated = false; > - uint32_t tmp, handle = 0; > + uint32_t tmp = 0, handle = 0; > uint32_t *size = &tmp; > int i, r = 0; >
diff --git a/drivers/gpu/drm/radeon/radeon_vce.c b/drivers/gpu/drm/radeon/radeon_vce.c index d1871af967d4..2355a78e1b69 100644 --- a/drivers/gpu/drm/radeon/radeon_vce.c +++ b/drivers/gpu/drm/radeon/radeon_vce.c @@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p) { int session_idx = -1; bool destroyed = false, created = false, allocated = false; - uint32_t tmp, handle = 0; + uint32_t tmp = 0, handle = 0; uint32_t *size = &tmp; int i, r = 0;
On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3") Cc: stable@vger.kernel.org Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> --- drivers/gpu/drm/radeon/radeon_vce.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)