Re: [PATCH] drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Maaz Mombasawala Tue, 21 Oct 2025 17:43:43 -0700

On 10/21/25 12:01 PM, Ian Forbes wrote:
> This data originates from userspace and is used in buffer offset
> calculations which could potentially overflow causing an out-of-bounds
> access.
> 
> Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device 
> functionality")
> Reported-by: Rohit Keshri <[email protected]>
> Signed-off-by: Ian Forbes <[email protected]>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index b00818aaf94b..41a77dce99a2 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -3668,6 +3668,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv,
>  
>  
>       cmd_id = header->id;
> +     if (header->size > SVGA_CMD_MAX_DATASIZE) {
> +             VMW_DEBUG_USER("SVGA3D command: %d is too big.\n",
> +                            cmd_id + SVGA_3D_CMD_BASE);
> +             return -E2BIG;
> +     }
>       *size = header->size + sizeof(SVGA3dCmdHeader);
>  
>       cmd_id -= SVGA_3D_CMD_BASE;


Looks good.

Reviewed-by: Maaz Mombasawala <[email protected]>

-- 
Maaz Mombasawala <[email protected]>

Re: [PATCH] drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Reply via email to