From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/amdxdna: Validate command buffer payload count Date: Mon, 23 Feb 2026 06:27:49 +1000 Message-ID: In-Reply-To: <20260219211946.1920485-1-lizhi.hou@amd.com> References: <20260219211946.1920485-1-lizhi.hou@amd.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Overall Series Review Subject: accel/amdxdna: Validate command buffer payload count Author: Lizhi Hou Patches: 2 Reviewed: 2026-02-23T06:27:49.749404 --- This is a single patch fixing a buffer overread vulnerability in the amdxdna accelerator driver. The `amdxdna_cmd_get_payload()` function reads a `count` field from a command header embedded in a GEM buffer object and uses it to calculate the payload size. Before this fix, the function only checked that `count > num_masks` but did not verify that the total claimed size fits within the underlying buffer. A malicious or corrupted command buffer could set a `count` value that passes the existing check but extends past the end of the allocated buffer, leading to an out-of-bounds read when callers copy or process the payload. The fix adds a second condition to the existing validation, checking that `count * sizeof(u32) + offsetof(struct amdxdna_cmd, data[0])` does not exceed `abo->mem.size`. The arithmetic is safe from overflow since `count` is extracted from an 11-bit field (GENMASK(22, 12), max 2047), and the entire expression evaluates in `size_t` due to `sizeof(u32)` promoting the operands. The fix is minimal and targeted. --- Generated by Claude Code Patch Reviewer