drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()

There is no limit on args->data.data_size_bytes so we could read beyond
the end of the args->data.data[] array.

Reviewed-by: Christian König <christian.koenig@amd.com>
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 2f39fea10bd1..b82fab2cc888 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -427,6 +427,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
                                            &args->data.data_size_bytes,
                                            &args->data.flags);
         } else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {
+                if (args->data.data_size_bytes > sizeof(args->data.data)) {
+                        r = -EINVAL;
+                        goto unreserve;
+                }
                 r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);
                 if (!r)
                         r = amdgpu_bo_set_metadata(robj, args->data.data,
@@ -434,6 +438,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
                                                    args->data.flags);
         }
 
+unreserve:
         amdgpu_bo_unreserve(robj);
 out:
         drm_gem_object_unreference_unlocked(gobj);