From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/amdgpu: fix integer overflow in amdgpu_gem_align_pitch()
Date: Sun, 12 Apr 2026 14:15:40 +1000 [thread overview]
Message-ID: <review-patch1-20260406225008.2787532-2-werner@verivus.com> (raw)
In-Reply-To: <20260406225008.2787532-2-werner@verivus.com>
Patch Review
**Correctness: Good.** The overflow analysis is sound. With `width=1073741760, bpp=32` (cpp=4):
- `drm_mode_create_dumb()` passes validation: `4 * 1073741760 = 4294967040 < U32_MAX`
- In `amdgpu_gem_align_pitch()`: `aligned = 1073741760`, `pitch_mask = 63`, after rounding `aligned = 1073741824` (2^30)
- `aligned * cpp = 1073741824 * 4 = 2^32` which overflows signed `int` (max 2^31-1)
**The overflow check:**
```c
if (aligned > INT_MAX / (cpp ? cpp : 1) || aligned <= 0)
return 0;
```
- The `INT_MAX / cpp` check correctly catches the case above: `INT_MAX/4 = 536870911 < 1073741824`.
- The `aligned <= 0` check covers the case where `args->width` (u32) overflows when assigned to `int width` in the function parameter, wrapping to negative.
- The `cpp ? cpp : 1` division-by-zero guard is technically unreachable since `drm_mode_create_dumb()` rejects `bpp=0` at line 199, but is reasonable defensive coding.
**Using 0 as error return:** Since `width=0` is already rejected by `drm_mode_create_dumb()` (line 199), 0 is safe as a sentinel here. The caller correctly checks for it.
**The `!args->size` check in `amdgpu_mode_dumb_create()`:**
```c
if (!args->size)
return -EINVAL;
```
This is technically redundant -- if `args->pitch` is non-zero and `args->height` is non-zero (guaranteed by the core), then `(u64)pitch * height` is non-zero, and `ALIGN(non_zero, PAGE_SIZE)` is always >= `PAGE_SIZE`. Harmless belt-and-suspenders though, so not a blocking issue.
**Fixes tag:** Points to `087451f372bf ("drm/amdgpu: use generic fb helpers instead of setting up AMD own's.")`. This doesn't seem like the commit that *introduced* `amdgpu_gem_align_pitch()` itself, but rather a refactoring commit. The Fixes tag would ideally point to whatever commit introduced the vulnerable function. Worth verifying.
**Verdict: Looks correct and appropriate for merge.** Minor nit on the Fixes tag.
---
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-04-12 4:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 22:50 [PATCH 0/2] drm/amdgpu,radeon: fix integer overflow in pitch alignment Werner Kasselman
2026-04-06 22:50 ` [PATCH 1/2] drm/amdgpu: fix integer overflow in amdgpu_gem_align_pitch() Werner Kasselman
2026-04-12 4:15 ` Claude Code Review Bot [this message]
2026-04-06 22:50 ` [PATCH 2/2] drm/radeon: fix integer overflow in radeon_align_pitch() Werner Kasselman
2026-04-12 4:15 ` Claude review: " Claude Code Review Bot
2026-04-12 4:15 ` Claude review: drm/amdgpu,radeon: fix integer overflow in pitch alignment Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260406225008.2787532-2-werner@verivus.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox