public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/qxl: validate dst_offset in apply_reloc against BO size
Date: Sat, 16 May 2026 10:59:08 +1000	[thread overview]
Message-ID: <review-overall-1778753260.e30adb21c660@berkoc.com> (raw)
In-Reply-To: <1778753260.e30adb21c660@berkoc.com>

Overall Series Review

Subject: drm/qxl: validate dst_offset in apply_reloc against BO size
Author: Berkant Koc <me@berkoc.com>
Patches: 1
Reviewed: 2026-05-16T10:59:08.741312

---

This is a single-patch security fix for a real out-of-bounds write vulnerability (CWE-787) in the QXL DRM driver that has existed since the driver was merged in v3.10 (2013). The commit message is thorough and well-written, clearly explaining the attack surface and scope. The fix itself is correct — it adds the missing bounds check that an existing aspirational comment explicitly called for but was never implemented.

The fix is the right approach (validate at the reloc processing site before the write), and the logic is sound. There are a few issues that should be addressed before merging, ranging from missing kernel metadata tags to a pre-existing cross-page write bug that should at minimum be noted.

**Verdict: Needs minor revision** — the core fix is correct but it needs a `Fixes:` tag, a `Cc: stable` tag, and ideally should also address the page-boundary crossing issue it partially inherits.

---

---
Generated by Claude Code Patch Reviewer

  reply	other threads:[~2026-05-16  0:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-14 10:07 [PATCH] drm/qxl: validate dst_offset in apply_reloc against BO size Berkant Koc
2026-05-16  0:59 ` Claude Code Review Bot [this message]
2026-05-16  0:59 ` Claude review: " Claude Code Review Bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=review-overall-1778753260.e30adb21c660@berkoc.com \
    --to=claude-review@example.com \
    --cc=dri-devel-reviews@example.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox