From nobody Mon Dec 1 21:30:54 2025 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1BC427874F for ; Thu, 27 Nov 2025 17:41:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764265304; cv=none; b=DRBgTTgMO4+Bw+R25yCCB3msTbTvCz4+se3++bgp7O8xEb5EmGXmTltjYFCa+WLhZquRGnsy0Jv16HushZWyxRBVNG3W7XTfENoiUgpvsCrRHzGoApZzrr5KjggfQPeyJWf9l8kbdgiJFeNnAWNSl7Dbl2DB1nmUR5oo/2KYRRA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764265304; c=relaxed/simple; bh=ME8eL2QSh65a44igypGWqzl0x9ivCWTSXfU8Z6Mw2/o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=m06OIBaBgIGJsHi3pqQzmaV+EydxWc/kbUc+ItBCAhZIOEtKn5BqzXeZ0n+Aq4LMC1KxLqT0CpWIsV5+dOJmFAs1iy7R9VbpCyomwQ6GDYJUmh8LJo4cWmXCrGYpKFhVpsM6aWdPXcMVSqFXMxEdfUpuB2DJNuGxVcsx+gFBXe8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kPkEtEIr; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kPkEtEIr" Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-29808a9a96aso12007785ad.1 for ; Thu, 27 Nov 2025 09:41:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764265302; x=1764870102; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=kPkEtEIrNx6T0lfIE+jFWNego4b8iIzKPzxs3yR44hrLJz1ML533Zc4OrTKD7mVaAI U24G3YIFCOz+IGBpZ21vjDI3e+g+C+ISq6XWZP+Zeu/7HjoyU+6cknNjPCWYdwsd49OB k7QWBr3lb8PEXLTb1asu0wOvGdyFh7aaYokiAVcCf1fDSDN43GKCAQ6cWzWd6Cmx10Ar AQBgf8uafb+tS/Onxnhb7ygz85Dz9P64Ct9RlH7H8sLpS2S0Mfb3DCV0qKcmeeUJzUfq wAn8IjBdMOFcyVwgxTUF/qcZCAmqmrdhnOlz3Q0aXoHxnhEi85NrQGGpOZJInyAOvakr SgTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764265302; x=1764870102; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=SRcrfbr8IbeSEC+zrbMz0Q/zrAtTWp/AFQDQHEi0pQHDze8q7MKCruxhbODhCRtAj4 f7HWRf7ri6oPZza7mz+c4civs7sD6cfZIU1AA0DVTBq+cFdOIMpik4suu8D7HLf5e5Iw 1so8mvnz1OwpvgC6PZZ0znMRtkcMtWsLoXzFBrPnypr7CmS6bpbkF5QyqF6wvQP3s25c cXD+RkHgpRbWjwWtwp5OCE25XEmds0zbG+KuXICr76O+80ntsElCEcsdUdu/iXr3u7Wy zp5VuQD43voDCw3Rf5egxADaCM9NeJfEkaTlOQJb9oFbjDLwqDgP98rVER8FVvkARD7Z 8yIQ== X-Forwarded-Encrypted: i=1; AJvYcCXu+CZrdQZLOUKQs86LxoDJ41ykuyWSRUzLPiSlhH88VUWb51K2Oo4JmTx9fVM0f1aKRzb/D1UO4SloX4g=@vger.kernel.org X-Gm-Message-State: AOJu0YxOQ593n2B104p1m3QdPhcsnothdDK9iBLuxvNHQcn1SBd7AW7T Ldn4kKObmMamsgaZGhvhClA8nkdxLPQlNDAMNq2TprYMKAQK4ZdzFHd9 X-Gm-Gg: ASbGncvXwZCuOZj1//lwLhdEZ6ThI8LUlg5qTPAvISJoCDKgajgnmIN/5eS2BK89qkW NnuK6FB7FxO68/aEHvb/Inr8K8zq7z+Mgd4ydFcHsbywHVzOTObxS/h5ll0xoGvsvsbu89dcMoL 0dOXxoSQh9PKXzltkTQzgfJ8cXf23siasd7F/t4Zh8udD1RrpeKV3PUcakDU5zN716bvD7eWAiY 9tfVrT39FKg4WtNVZCOjuWG1vXadW8rlhu2drR4hN4k+yrlxJy4FxZYMng32mjVOul2YR2W86qm qHqOSJOSQSelUAe73nGWbUoGTq1LwXhlAjjvknNOCq9EvO6vGnodBLh+HzD8+ejbcuCzzHwtRYB Tsp/ce1HZMiVmxbCMvkgI2lkYZEN40uNj9v0lvczloZL2Gya2ig3a95DFIjE8iqNZHemKyfLJd6 UQ5scP3YgkQJoy1Ut27Q== X-Google-Smtp-Source: AGHT+IHZoue3eEn27vi/t77L35UHlVlZsPeaZ47NWPrQr+Bw35P2nBh78meTbRj1N70iv3TUbjgvfw== X-Received: by 2002:a17:903:1b0b:b0:295:59ef:809e with SMTP id d9443c01a7336-29b6bed1317mr288255705ad.24.1764265301924; Thu, 27 Nov 2025 09:41:41 -0800 (PST) Received: from archlinux ([2409:40d6:115a:9b42:5333:be07:7e9e:384a]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29bceb28019sm23233865ad.58.2025.11.27.09.41.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Nov 2025 09:41:41 -0800 (PST) From: Madhur Kumar To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, syzbot+95416f957d84e858b377@syzkaller.appspotmail.com, Madhur Kumar Subject: [PATCH] drm/syncobj: Validate count_handles to prevent large allocations in array_find() Date: Thu, 27 Nov 2025 23:05:34 +0530 Message-ID: <20251127173534.236250-1-madhurkumar004@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The DRM_IOCTL_SYNCOBJ_WAIT ioctl reads `count_handles` from userspace and uses it directly when allocating memory in array_find(). and kmalloc_array() allows userspace to request very large allocations, which syzkaller was able to trigger. Such unbounded values can lead to excessive memory requests, allocation failures, warnings, or resource exhaustion paths. Add explicit bounds validation to prevent excessively large allocations coming from userspace-provided values. Reported-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D95416f957d84e858b377 Fixes: 3e6fb72d6cef6 ("drm/syncobj: Add a syncobj_array_find helper") Tested-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Signed-off-by: Madhur Kumar --- drivers/gpu/drm/drm_syncobj.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index e1b0fa4000cd..f322b38ec251 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *f= ile_private, uint32_t i, *handles; struct drm_syncobj **syncobjs; int ret; + size_t size; + + if (check_mul_overflow(count_handles, sizeof(*handles), &size)) + return -EOVERFLOW; + + if (size > KMALLOC_MAX_SIZE) + return -ERANGE; =20 handles =3D kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL); if (handles =3D=3D NULL) --=20 2.52.0