Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [Critical] Integer Truncation leading to Heap Buffer Overflow on 32-bit architectures. --
--- Patch [6]: [PATCH v4 6/6] drm/msm: Remove invalid overflow check --- commit b6fd344e5aae554bc6124eb5aa28a19da1bb53c5 Author: Rob Clark <[email protected]> drm/msm: Remove invalid overflow check This commit changes the size variable for the msm_gem_submit allocation from uint64_t to size_t and removes the explicit check against SIZE_MAX, relying on kzalloc to handle struct_size overflows natively. > diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c > b/drivers/gpu/drm/msm/msm_gem_submit.c > index 0dc983d155cd2..744af6389ac62 100644 > --- a/drivers/gpu/drm/msm/msm_gem_submit.c > +++ b/drivers/gpu/drm/msm/msm_gem_submit.c > @@ -36,15 +36,11 @@ static struct msm_gem_submit *submit_create(struct > drm_device *dev, > { > static atomic_t ident = ATOMIC_INIT(0); > struct msm_gem_submit *submit; > - uint64_t sz; > + size_t sz; > int ret; > > sz = struct_size(submit, bos, nr_bos) + > ((u64)nr_cmds * sizeof(submit->cmd[0])); > - > - if (sz > SIZE_MAX) > - return ERR_PTR(-ENOMEM); > - [Severity: Critical] Does changing sz to size_t introduce an integer truncation vulnerability on 32-bit architectures? The right side of this assignment evaluates to a 64-bit value because nr_cmds is cast to u64. If struct_size() overflows and returns SIZE_MAX, or if nr_cmds is extremely large, the addition results in a value exceeding 4GB. When this 64-bit value is assigned to a 32-bit size_t variable on 32-bit architectures, it will implicitly truncate and wrap around to a small value. Since kzalloc() is now passed this truncated size, it will successfully allocate a small buffer instead of failing. Could this allow user-controlled nr_cmds and nr_bos values to trigger a heap buffer overflow when subsequent loops write past the allocated bounds? > submit = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN); > if (!submit) > return ERR_PTR(-ENOMEM); -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=6
