CVE-2025-21996
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
On the off chance that command stream passed from userspace via
ioctl() call to radeon_vce_cs_parse() is weirdly crafted and
first command to execute is to encode (case 0x03000001), the function
in question will attempt to call radeon_vce_cs_reloc() with size
argument that has not been properly initialized. Specifically, 'size'
will point to 'tmp' variable before the latter had a chance to be
assigned any value.
Play it safe and init 'tmp' with 0, thus ensuring that
radeon_vce_cs_reloc() will catch an early error in cases like these.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Produtos afetados
Linux · LinuxQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65dhttps://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235chttps://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8https://lists.debian.org/debian-lts-announce/2025/05/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2025/05/msg00045.html