Commit 16f5dfa6 authored Jul 31, 2024 by Jesse Zhang Committed by Liu Chuang Jul 31, 2024

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

stable inclusion
from stable-v6.6.39
commit 855ae72c20310e5402b2317fc537d911e87537ef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSW7
CVE: CVE-2024-42228

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=855ae72c20310e5402b2317fc537d911e87537ef



--------------------------------

[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ]

Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
V2: To really improve the handling we would actually
   need to have a separate value of 0xffffffff.(Christian)

Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Chuang <liuchuang40@huawei.com>

parent e0427893

drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
		uint32_t created = 0;
		uint32_t allocated = 0;
		uint32_t tmp, handle = 0;
		uint32_t *size = &tmp;
		uint32_t dummy = 0xffffffff;
		uint32_t *size = &dummy;
		unsigned int idx;
		int i, r = 0;