drm/syncobj: Prevent overflow and large kmalloc in array_find()

[PATCH] drm/syncobj: Prevent overflow and large kmalloc in array_find()

Posted by Madhur Kumar 4 days, 8 hours ago

#syz test

Signed-off-by: Madhur Kumar <madhurkumar004@gmail.com>
---
 drivers/gpu/drm/drm_syncobj.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index e1b0fa4000cd..f322b38ec251 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *file_private,
 	uint32_t i, *handles;
 	struct drm_syncobj **syncobjs;
 	int ret;
+	size_t size;
+
+	if (check_mul_overflow(count_handles, sizeof(*handles), &size))
+		return -EOVERFLOW;
+
+	if (size > KMALLOC_MAX_SIZE)
+		return -ERANGE;
 
 	handles = kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL);
 	if (handles == NULL)
-- 
2.52.0

Re: [syzbot] [dri?] WARNING in drm_syncobj_array_find

Posted by syzbot 4 days, 8 hours ago

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com
Tested-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com

Tested on:

commit:         765e56e4 Merge tag 'v6.18rc7-SMB-client-fix' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696e57c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4a9a49032e9d8959
dashboard link: https://syzkaller.appspot.com/bug?extid=95416f957d84e858b377
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=155f6f42580000

Note: testing is done by a robot and is best-effort only.