[PATCH openEuler-1.0-LTS] drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

31 Jul 2024

From: Jesse Zhang jesse.zhang@amd.com
mainline inclusion
from mainline-v6.10-rc1
commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSW7
CVE: CVE-2024-42228
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
-------------------------------
Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
V2: To really improve the handling we would actually
   need to have a separate value of 0xffffffff.(Christian)
Signed-off-by: Jesse Zhang jesse.zhang@amd.com
Suggested-by: Christian König christian.koenig@amd.com
Reviewed-by: Christian König christian.koenig@amd.com
Signed-off-by: Alex Deucher alexander.deucher@amd.com
Conflicts:
    drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
[adjust context conflicts]
Signed-off-by: Liu Chuang liuchuang40@huawei.com
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
index 17862b9ecccd..9c8ce75c760a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
@@ -714,7 +714,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, uint32_t ib_idx)
    uint32_t created = 0;
    uint32_t allocated = 0;
    uint32_t tmp, handle = 0;
-	uint32_t *size = &tmp;
+	uint32_t dummy = 0xffffffff;
+	uint32_t *size = &dummy;
    unsigned idx;
    int i, r = 0;
-- 
2.34.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS] drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc