The DRM_IOCTL_SYNCOBJ_WAIT ioctl reads `count_handles` from userspace and uses it directly when allocating memory in array_find(). and kmalloc_array() allows userspace to request very large allocations, which syzkaller was able to trigger.
Such unbounded values can lead to excessive memory requests, allocation failures, warnings, or resource exhaustion paths. Add explicit bounds validation to prevent excessively large allocations coming from userspace-provided values. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=95416f957d84e858b377 Fixes: 3e6fb72d6cef6 ("drm/syncobj: Add a syncobj_array_find helper") Tested-by: [email protected] Signed-off-by: Madhur Kumar <[email protected]> --- drivers/gpu/drm/drm_syncobj.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index e1b0fa4000cd..f322b38ec251 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *file_private, uint32_t i, *handles; struct drm_syncobj **syncobjs; int ret; + size_t size; + + if (check_mul_overflow(count_handles, sizeof(*handles), &size)) + return -EOVERFLOW; + + if (size > KMALLOC_MAX_SIZE) + return -ERANGE; handles = kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL); if (handles == NULL) -- 2.52.0
