drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()

It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().

Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org

diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
index 8ca793c222ff2e9f702733ee896babdbd0598dc3..ed9dac00ebfb1805a5ab93e00f39ce7e6913a26f 100644 (file)
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -612,7 +612,8 @@ static int smu_sys_set_pp_table(void *handle,
                return -EIO;
        }
 
-       if (!smu_table->hardcode_pptable) {
+       if (!smu_table->hardcode_pptable || smu_table->power_play_table_size < size) {
+               kfree(smu_table->hardcode_pptable);
                smu_table->hardcode_pptable = kzalloc(size, GFP_KERNEL);
                if (!smu_table->hardcode_pptable)
                        return -ENOMEM;