From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/exynos: vidi: fix to avoid directly dereferencing user pointer
Date: Mon, 23 Feb 2026 06:11:03 +1000 [thread overview]
Message-ID: <review-patch2-20260220033550.124346-3-aha310510@gmail.com> (raw)
In-Reply-To: <20260220033550.124346-3-aha310510@gmail.com>
Patch Review
This patch fixes a security issue where the user-space EDID pointer from the ioctl struct was directly cast to a kernel pointer and dereferenced. The fix properly uses `copy_from_user()` to first copy the EDID header (to read the `extensions` count), then allocates a kernel buffer and copies the full EDID data.
> + const void __user *edid_userptr = u64_to_user_ptr(vidi->edid);
> + void *edid_buf;
> + struct edid hdr;
> size_t size;
>
> - raw_edid = (const struct edid *)(unsigned long)vidi->edid;
> - size = (raw_edid->extensions + 1) * EDID_LENGTH;
> + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
> + return -EFAULT;
> +
> + size = (hdr.extensions + 1) * EDID_LENGTH;
The size computation is safe from overflow: `hdr.extensions` is a `u8` (max 255), so the maximum size is `256 * 128 = 32768` bytes. The use of `u64_to_user_ptr()` is the correct way to convert the `__u64` ioctl field to a `__user` pointer.
> + edid_buf = kmalloc(size, GFP_KERNEL);
> + if (!edid_buf)
> + return -ENOMEM;
> +
> + if (copy_from_user(edid_buf, edid_userptr, size)) {
> + kfree(edid_buf);
> + return -EFAULT;
> + }
> +
> + drm_edid = drm_edid_alloc(edid_buf, size);
> + kfree(edid_buf);
`drm_edid_alloc()` makes its own internal copy of the EDID data, so freeing `edid_buf` immediately after is correct. The error paths properly free `edid_buf` before returning.
There is a theoretical TOCTOU between the header copy and the full copy (user space could modify the `extensions` field between the two `copy_from_user` calls), but this is harmless: the size is computed from the kernel copy of the header, so the kernel buffer is always correctly sized. If the user modifies the data between copies, the subsequent `drm_edid_valid()` check (present in the existing code below this diff) will catch any inconsistency.
No issues found.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-02-22 20:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 3:35 [PATCH 6.19.y 6.18.y 0/2] drm/exynos: vidi: fix various memory corruption bugs Jeongjun Park
2026-02-20 3:35 ` [PATCH 6.19.y 6.18.y 1/2] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() Jeongjun Park
2026-02-22 20:11 ` Claude review: " Claude Code Review Bot
2026-02-20 3:35 ` [PATCH 6.19.y 6.18.y 2/2] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Jeongjun Park
2026-02-22 20:11 ` Claude Code Review Bot [this message]
2026-02-22 20:11 ` Claude review: drm/exynos: vidi: fix various memory corruption bugs Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch2-20260220033550.124346-3-aha310510@gmail.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox