From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/amdgpu,radeon: fix integer overflow in pitch alignment Date: Sun, 12 Apr 2026 14:15:40 +1000 Message-ID: In-Reply-To: <20260406225008.2787532-1-werner@verivus.com> References: <20260406225008.2787532-1-werner@verivus.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Overall Series Review Subject: drm/amdgpu,radeon: fix integer overflow in pitch alignment Author: Werner Kasselman Patches: 3 Reviewed: 2026-04-12T14:15:40.221211 --- This is a well-motivated 2-patch series fixing a real integer overflow vulnerability in the pitch alignment functions of both the amdgpu and radeon DRM drivers. The bug allows an unprivileged local user to create a zero-size GEM buffer object via `DRM_IOCTL_MODE_CREATE_DUMB`, which could lead to out-of-bounds memory access. The root cause analysis is correct: `drm_mode_create_dumb()` validates `cpp * width` fits in u32 *before* calling the driver, but both `amdgpu_gem_align_pitch()` and `radeon_align_pitch()` round up `width` by up to 255 pixels, which can push the subsequent `aligned * cpp` multiplication past `INT_MAX`, causing signed integer overflow (undefined behavior in C) that wraps to 0. The patches are minimal, correct, and appropriate for stable backport. One minor series-level observation: the `Signed-off-by` uses `werner@verivus.com` while the `From:` header shows `werner@verivus.ai` -- this domain mismatch may need clarification for the DCO. The commit messages correctly note that the long-term fix is converting to `drm_mode_size_dumb()`, making these targeted stopgap fixes appropriate. --- --- Generated by Claude Code Patch Reviewer