From nobody Sun Feb 8 17:13:52 2026 Received: from mx9.kaspersky-labs.com (mx9.kaspersky-labs.com [195.122.169.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56BDD38E110 for ; Tue, 3 Feb 2026 13:49:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.122.169.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770126602; cv=none; b=jMTGAUtmtQckEzXehBR+bjq/lYmfXPUZOv1qquxmV27K8arktbaYKA9519dSVrh/rn7nlhDgUhkP/F2vGzbMybfxckDk/k8zivGX6tQGHnOh3W3EzkCLi6+PNlLE9XXzMiH/po0h96uquQEhui33CskAHjmbEPJV5nh0Zq40VEY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770126602; c=relaxed/simple; bh=au6hnzMxcZpyVJMI/uycakYeUwBYI0vCS98Nrw9Lf8Y=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=eznYt0eDaZgYT66aCLBXdeqeX+/QR2yGlYofz+Hjg9H9iNlag2GfLVx5MynJlktnVYFx3EEVSAioP1XPhN5cQklo0V8qUHb4JbHd9FxrvDjFQHVsMlZ7UY5sfxtEcA34azauFy3Qmhf6yAx/TU/eh2ZUzdmYi9Z+s4TjpRitST8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com; spf=pass smtp.mailfrom=kaspersky.com; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=xhVlMZXW; arc=none smtp.client-ip=195.122.169.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="xhVlMZXW" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1770126597; bh=Go0PwiQjX16SnL67toeGr3+NtiinJJYyk8SWsJkyAFo=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=xhVlMZXWDkPzFyVdQrSYTgR+P4sfltj4p0kvlvWMiBb2mjd2hNf4kRgUR1w0Ze/F3 P4RJKlvO7wVy+Xold8i8+MqWKWQMMJC4WwN9OEarfILHywJ4WSCYqY80XDc+QYWkmF bS+uNZRprmkJeavdGXTLl2sy/0lcpVCEuhFeG3ym2WKP+TOVQhudL7xP0oGK7PVZo9 SEtDGP3zlruLwEaGUSgSaUuex48iiYmgoui5WnYEfReQ8FlcFlKtOrJkGSTwWGqDnE df60ktyQJC2EiRHPjr/azPB1uV+N7JAUcq2pIKTvXuV8idQGL1pPh/K4s0/oRSGkXe xnWofXsurOieQ== Received: from relay9.kaspersky-labs.com (localhost [127.0.0.1]) by relay9.kaspersky-labs.com (Postfix) with ESMTP id 423CA8A0742; Tue, 3 Feb 2026 16:49:57 +0300 (MSK) Received: from mail-hq2.kaspersky.com (unknown [91.103.66.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-hq2.kaspersky.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub9.kaspersky-labs.com (Postfix) with ESMTPS id BE4678A080C; Tue, 3 Feb 2026 16:49:55 +0300 (MSK) Received: from konyukhov.avp.ru (10.16.104.193) by HQMAILSRV1.avp.ru (10.64.57.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Tue, 3 Feb 2026 16:49:54 +0300 From: Alexander Konyukhov To: Liviu Dudau CC: Alexander Konyukhov , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , , , Subject: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check Date: Tue, 3 Feb 2026 16:48:46 +0300 Message-ID: <20260203134907.1587067-1-Alexander.Konyukhov@kaspersky.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: HQMAILSRV5.avp.ru (10.64.57.55) To HQMAILSRV1.avp.ru (10.64.57.51) X-KSE-ServerInfo: HQMAILSRV1.avp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.1, Database issued on: 02/03/2026 13:36:41 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 0 X-KSE-AntiSpam-Info: Lua profiles 200098 [Feb 03 2026] X-KSE-AntiSpam-Info: Version: 6.1.1.20 X-KSE-AntiSpam-Info: Envelope from: Alexander.Konyukhov@kaspersky.com X-KSE-AntiSpam-Info: LuaCore: 86 0.3.86 47cb2a3d3f5c7e795bff2d0998e8c196722872ab X-KSE-AntiSpam-Info: {Tracking_cluster_exceptions} X-KSE-AntiSpam-Info: {Tracking_real_kaspersky_domains} X-KSE-AntiSpam-Info: {Tracking_black_eng_exceptions} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2;konyukhov.avp.ru:5.0.1,7.1.1;kaspersky.com:5.0.1,7.1.1 X-KSE-AntiSpam-Info: {Tracking_white_helo} X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: Rate: 0 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Deterministic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 02/03/2026 13:38:00 X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 2/3/2026 11:55:00 AM X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSMG-AntiPhishing: NotDetected X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310, bases: 2026/02/03 10:20:00 #28174714 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 52 Content-Type: text/plain; charset="utf-8" The AFBC framebuffer size validation calculates the minimum required buffer size by adding the AFBC payload size to the framebuffer offset. This addition is performed without checking for integer overflow. If the addition oveflows, the size check may incorrectly succed and allow userspace to provide an undersized drm_gem_object, potentially leading to out-of-bounds memory access. Add usage of check_add_overflow() to safely compute the minimum required size and reject the framebuffer if an overflow is detected. This makes the AFBC size validation more robust against malformed. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver") Signed-off-by: Alexander Konyukhov Acked-by: Liviu Dudau --- drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/driv= ers/gpu/drm/arm/display/komeda/komeda_framebuffer.c index 3ca461eb0a24..3cb34d03f7f8 100644 --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c @@ -4,6 +4,8 @@ * Author: James.Qian.Wang * */ +#include + #include #include #include @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct d= rm_file *file, kfb->afbc_size =3D kfb->offset_payload + n_blocks * ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8, AFBC_SUPERBLK_ALIGNMENT); - min_size =3D kfb->afbc_size + fb->offsets[0]; + if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) { + goto check_failed; + } if (min_size > obj->size) { DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.= \n", obj->size, min_size); --=20 2.43.0