[PATCH] drm/vmwgfx: validate execbuf header.size lower bound

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH] drm/vmwgfx: validate execbuf header.size lower bound
       [not found] ` <2026051743-genre-cacti-bdf3@gregkh>
@ 2026-05-17 13:05   ` Berkant Koc
  2026-05-17 23:23     ` Zack Rusin
  0 siblings, 1 reply; 3+ messages in thread
From: Berkant Koc @ 2026-05-17 13:05 UTC (permalink / raw)
  To: Zack Rusin, bcm-kernel-feedback-list, dri-devel
  Cc: security, Daniel Vetter, David Airlie, Thomas Zimmermann, stable

Commit 32b415a9dc2c ("drm/vmwgfx: Validate command header size against
SVGA_CMD_MAX_DATASIZE") added an upper bound on the user-supplied
SVGA3dCmdHeader.size field but no matching lower bound. When
header->size is smaller than sizeof(cmd->body), the size_t subtraction
in expressions like

  maxnum = (header->size - sizeof(cmd->body)) / sizeof(*decl);

underflows. The subsequent bound check

  if (cmd->body.numVertexDecls > maxnum) return -EINVAL;

is bypassed because maxnum is ~SIZE_MAX, and the loop walks
attacker-chosen entries past the command buffer.

In vmw_cmd_draw this leads to a 4-byte OOB-read per iteration via
vmw_cmd_res_check(&decl[i].array.surfaceId, ...); on a surface-handle
collision, vmw_resource_relocation_add records the OOB address as
rel->offset (29-bit bitfield), and vmw_resource_relocations_apply
later performs a 32-bit kernel write at cb + rel->offset.

The same root cause is present in vmw_cmd_dma (suffix pointer-arith
underflow leading to OOB-read of suffix->suffixSize) and
vmw_cmd_shader_define (size_t wraparound passed to
vmw_compat_shader_add).

Reachable via DRM_VMW_EXECBUF (DRM_RENDER_ALLOW). Reject undersized
headers at all three sites before the subtraction.

Cc: stable@vger.kernel.org # v6.18+
Fixes: 32b415a9dc2c ("drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE")
Signed-off-by: Berkant Koc <me@berkoc.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index e1f18020170a..6f9c7d61cc66 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1506,6 +1506,12 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
 	bool dirty;

 	cmd = container_of(header, typeof(*cmd), header);
+
+	if (unlikely(header->size < sizeof(cmd->body) + sizeof(*suffix))) {
+		VMW_DEBUG_USER("DMA cmd header.size too small.\n");
+		return -EINVAL;
+	}
+
 	suffix = (SVGA3dCmdSurfaceDMASuffix *)((unsigned long) &cmd->body +
 					       header->size - sizeof(*suffix));

@@ -1572,6 +1578,12 @@ static int vmw_cmd_draw(struct vmw_private *dev_priv,
 		return ret;

 	cmd = container_of(header, typeof(*cmd), header);
+
+	if (unlikely(header->size < sizeof(cmd->body))) {
+		VMW_DEBUG_USER("Draw cmd header.size smaller than body.\n");
+		return -EINVAL;
+	}
+
 	maxnum = (header->size - sizeof(cmd->body)) / sizeof(*decl);

 	if (unlikely(cmd->body.numVertexDecls > maxnum)) {
@@ -1915,6 +1927,11 @@ static int vmw_cmd_shader_define(struct vmw_private *dev_priv,
 	if (unlikely(!dev_priv->has_mob))
 		return 0;

+	if (unlikely(cmd->header.size < sizeof(cmd->body))) {
+		VMW_DEBUG_USER("Shader define cmd header.size smaller than body.\n");
+		return -EINVAL;
+	}
+
 	size = cmd->header.size - sizeof(cmd->body);
 	ret = vmw_compat_shader_add(dev_priv, vmw_context_res_man(ctx),
 				    cmd->body.shid, cmd + 1, cmd->body.type,
-- 
2.47.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] drm/vmwgfx: validate execbuf header.size lower bound
  2026-05-17 13:05   ` [PATCH] drm/vmwgfx: validate execbuf header.size lower bound Berkant Koc
@ 2026-05-17 23:23     ` Zack Rusin
  2026-05-18  0:56       ` Berkant Koc
  0 siblings, 1 reply; 3+ messages in thread
From: Zack Rusin @ 2026-05-17 23:23 UTC (permalink / raw)
  To: Berkant Koc
  Cc: bcm-kernel-feedback-list, dri-devel, Daniel Vetter, David Airlie,
	Thomas Zimmermann, stable

[-- Attachment #1: Type: text/plain, Size: 3971 bytes --]

On Sun, May 17, 2026 at 10:07 AM Berkant Koc <me@berkoc.com> wrote:
>
> Commit 32b415a9dc2c ("drm/vmwgfx: Validate command header size against
> SVGA_CMD_MAX_DATASIZE") added an upper bound on the user-supplied
> SVGA3dCmdHeader.size field but no matching lower bound. When
> header->size is smaller than sizeof(cmd->body), the size_t subtraction
> in expressions like
>
>   maxnum = (header->size - sizeof(cmd->body)) / sizeof(*decl);
>
> underflows. The subsequent bound check
>
>   if (cmd->body.numVertexDecls > maxnum) return -EINVAL;
>
> is bypassed because maxnum is ~SIZE_MAX, and the loop walks
> attacker-chosen entries past the command buffer.
>
> In vmw_cmd_draw this leads to a 4-byte OOB-read per iteration via
> vmw_cmd_res_check(&decl[i].array.surfaceId, ...); on a surface-handle
> collision, vmw_resource_relocation_add records the OOB address as
> rel->offset (29-bit bitfield), and vmw_resource_relocations_apply
> later performs a 32-bit kernel write at cb + rel->offset.
>
> The same root cause is present in vmw_cmd_dma (suffix pointer-arith
> underflow leading to OOB-read of suffix->suffixSize) and
> vmw_cmd_shader_define (size_t wraparound passed to
> vmw_compat_shader_add).
>
> Reachable via DRM_VMW_EXECBUF (DRM_RENDER_ALLOW). Reject undersized
> headers at all three sites before the subtraction.
>
> Cc: stable@vger.kernel.org # v6.18+
> Fixes: 32b415a9dc2c ("drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE")
> Signed-off-by: Berkant Koc <me@berkoc.com>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index e1f18020170a..6f9c7d61cc66 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1506,6 +1506,12 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
>         bool dirty;
>
>         cmd = container_of(header, typeof(*cmd), header);
> +
> +       if (unlikely(header->size < sizeof(cmd->body) + sizeof(*suffix))) {
> +               VMW_DEBUG_USER("DMA cmd header.size too small.\n");
> +               return -EINVAL;
> +       }
> +
>         suffix = (SVGA3dCmdSurfaceDMASuffix *)((unsigned long) &cmd->body +
>                                                header->size - sizeof(*suffix));
>
> @@ -1572,6 +1578,12 @@ static int vmw_cmd_draw(struct vmw_private *dev_priv,
>                 return ret;
>
>         cmd = container_of(header, typeof(*cmd), header);
> +
> +       if (unlikely(header->size < sizeof(cmd->body))) {
> +               VMW_DEBUG_USER("Draw cmd header.size smaller than body.\n");
> +               return -EINVAL;
> +       }
> +
>         maxnum = (header->size - sizeof(cmd->body)) / sizeof(*decl);
>
>         if (unlikely(cmd->body.numVertexDecls > maxnum)) {
> @@ -1915,6 +1927,11 @@ static int vmw_cmd_shader_define(struct vmw_private *dev_priv,
>         if (unlikely(!dev_priv->has_mob))
>                 return 0;
>
> +       if (unlikely(cmd->header.size < sizeof(cmd->body))) {
> +               VMW_DEBUG_USER("Shader define cmd header.size smaller than body.\n");
> +               return -EINVAL;
> +       }
> +
>         size = cmd->header.size - sizeof(cmd->body);
>         ret = vmw_compat_shader_add(dev_priv, vmw_context_res_man(ctx),
>                                     cmd->body.shid, cmd + 1, cmd->body.type,
> --
> 2.47.3
>

I think you might have forgotten to disclose the tool/llm you've used
for this. Using Claude Opus 4.7 I've found the same issues and the
series fixing those bugs is available on dri-devel at
https://patchwork.freedesktop.org/series/166024/ . If you've used a
different llm I'd love to know which one. And if you have a completely
different tool for detecting those issues that'd be great to know as
well.

z

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5414 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] drm/vmwgfx: validate execbuf header.size lower bound
  2026-05-17 23:23     ` Zack Rusin
@ 2026-05-18  0:56       ` Berkant Koc
  0 siblings, 0 replies; 3+ messages in thread
From: Berkant Koc @ 2026-05-18  0:56 UTC (permalink / raw)
  To: Zack Rusin
  Cc: bcm-kernel-feedback-list, dri-devel, Daniel Vetter, David Airlie,
	Thomas Zimmermann, stable

Thanks for the catch, you're right, I should have flagged the tooling
in the patch body. And cross-pollination with your own series on
patchwork is a good outcome.

Tooling: berkoc-pipeline, a custom RAG framework on Claude Opus 4.7
(Anthropic CVP cohort, May 2026). Full agentic stack: multi-tool
execution (filesystem, web fetch, code execution), parallel subagent
orchestration with adaptive task decomposition, extended-thinking
integration, retrieval-augmented context over a file-based semantic
knowledge base, MCP-style integration patterns. 7-step pre-disclosure
validation gate, manual verification on every finding before submit.

v2 of this patch will include the formal trailer:
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline

Happy to send v2 with the trailer formalised, or keep the methodology
disclosure to follow-up comments if you prefer.

Berkant

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-18  0:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260517-vmwgfx-uaf-report@berkoc.com>
     [not found] ` <2026051743-genre-cacti-bdf3@gregkh>
2026-05-17 13:05   ` [PATCH] drm/vmwgfx: validate execbuf header.size lower bound Berkant Koc
2026-05-17 23:23     ` Zack Rusin
2026-05-18  0:56       ` Berkant Koc

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox