Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [Critical] Integer overflow in `frames_size` accumulation in `appletbdrm_primary_plane_helper_begin_fb_access()` leads to an undersized allocation and subsequent heap buffer overflow. -- commit 95dfe9915dca0c203d54cd610ead65b1de9a07b7 Author: Thomas Zimmermann <[email protected]> drm/damage-helper: Remove old state from drm_atomic_helper_damage_iter_init() This commit removes the unused old_plane_state parameter from drm_atomic_helper_damage_iter_init() and updates all callers. Most callers no longer require the old plane state in their atomic_update helpers. [ ... ] > diff --git a/drivers/gpu/drm/tiny/appletbdrm.c > b/drivers/gpu/drm/tiny/appletbdrm.c > index b683dcb35b0be..eadc3aed72774 100644 > --- a/drivers/gpu/drm/tiny/appletbdrm.c > +++ b/drivers/gpu/drm/tiny/appletbdrm.c > @@ -324,7 +324,7 @@ static int > appletbdrm_primary_plane_helper_begin_fb_access(struct drm_plane *pla > struct drm_rect damage; > size_t request_size; > > - drm_atomic_helper_damage_iter_init(&iter, NULL, new_plane_state); > + drm_atomic_helper_damage_iter_init(&iter, new_plane_state); > drm_atomic_for_each_plane_damage(&iter, &damage) { > frames_size += struct_size((struct appletbdrm_frame *)0, buf, > rect_size(&damage)); [Severity: Critical] This is a pre-existing issue, but can this loop cause an integer overflow when accumulating frames_size? Because += is used instead of safe accumulation like size_add(), supplying a large number of clips (or clips with large dimensions) could cause the size_t variable frames_size to wrap around. For example, on 32-bit systems, a large amount of damage clips can map to >4GB of frame data. This would result in an undersized buffer being allocated via kvzalloc(). Subsequently, in appletbdrm_flush_damage(), the code iterates over the same clips and uses drm_fb_memcpy() or drm_fb_xrgb8888_to_bgr888() to copy the full unclipped frame data into the destination buffer, potentially causing a heap buffer overflow. > } [ ... ] -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=6
