From 2aacd966d84b37ac7fe2f2116eb7a5a677ae2cb9 Mon Sep 17 00:00:00 2001
From: Shreeya Patel <spatel@ciq.com>
Date: Fri, 30 Jan 2026 10:38:13 +0000
Subject: [PATCH] TEST drm/vmwgfx: Validate command header size against
 SVGA_CMD_MAX_DATASIZE

jira VULN-161156
cve CVE-2025-40277
commit-author Ian Forbes <ian.forbes@broadcom.com>
commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af

This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.

Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality")
	Reported-by: Rohit Keshri <rkeshri@redhat.com>
	Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
	Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
	Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com
(cherry picked from commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af)
	Signed-off-by: Shreeya Patel <spatel@ciq.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index d49de4905efa4..4ef00b1f1cda4 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -3682,6 +3682,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv,
 
 
 	cmd_id = header->id;
+	if (header->size > SVGA_CMD_MAX_DATASIZE) {
+		VMW_DEBUG_USER("SVGA3D command: %d is too big.\n",
+			       cmd_id + SVGA_3D_CMD_BASE);
+		return -E2BIG;
+	}
 	*size = header->size + sizeof(SVGA3dCmdHeader);
 
 	cmd_id -= SVGA_3D_CMD_BASE;