Skip to content

fix BO offset and size check #956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maxzhen merged 3 commits into from
Jan 2, 2026
Merged

fix BO offset and size check #956

maxzhen merged 3 commits into from
Jan 2, 2026

Conversation

@maxzhen
Copy link
Collaborator

@maxzhen maxzhen commented Dec 26, 2025

No description provided.

@maxzhen
fix BO offset and size check
c1b2d95 
Signed-off-by: Max Zhen <max.zhen@amd.com>
Copilot AI reviewed Dec 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a buffer overflow validation issue in the AMDXDNA driver's sync_bo ioctl handler. The original check was insufficient to prevent integer overflow when adding offset and size.

Key Changes:

  • Enhanced validation in amdxdna_drm_sync_bo_ioctl to check offset and size individually before checking their sum
  • Added guards against integer overflow in buffer bounds validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@maxzhen
Update src/driver/amdxdna/amdxdna_gem.c
b707e8c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings December 26, 2025 20:10
Copilot AI reviewed Dec 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

wendyliang25
wendyliang25 reviewed Dec 29, 2025
View reviewed changes
src/driver/amdxdna/amdxdna_gem.c
if (gobj->size < args->offset + args->size) {
if (gobj->size < args->offset ||
gobj->size < args->size ||
args->offset > gobj->size - args->size) {
Copy link
Contributor

@wendyliang25 wendyliang25 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor, just to keep this line consistent to the above two lines, maybe change it to gobj->size < args->offset + args->size

Copy link
Collaborator Author

@maxzhen maxzhen Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is done to avoid overflow from args->offset + args->size. gobj->size - args->size is safe since line 1215 has done the check.

@maxzhen maxzhen merged commit 273a586 into amd:main Jan 2, 2026
1 check passed
@maxzhen maxzhen deleted the secfix branch January 2, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chvamshi-xilinx chvamshi-xilinx chvamshi-xilinx approved these changes

@saifuddin-xilinx saifuddin-xilinx saifuddin-xilinx approved these changes

@wendyliang25 wendyliang25 wendyliang25 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maxzhen @chvamshi-xilinx @saifuddin-xilinx @wendyliang25