CVE-2025-39741
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/migrate: don't overflow max copy size
With non-page aligned copy, we need to use 4 byte aligned pitch, however the size itself might still be close to our maximum of ~8M, and so the dimensions of the copy can easily exceed the S16_MAX limit of the copy command leading to the following assert:
xe 0000:03:00.0: [drm] Assertion size / pitch <= ((s16)(((u16)~0U) >> 1)) failed!
platform: BATTLEMAGE subplatform: 1
graphics: Xe2_HPG 20.01 step A0
media: Xe2_HPM 13.01 step A1
tile: 0 VRAM 10.0 GiB
GT: 0 type 1
WARNING: CPU: 23 PID: 10605 at drivers/gpu/drm/xe/xe_migrate.c:673 emit_copy+0x4b5/0x4e0 [xe]
To fix this account for the pitch when calculating the number of current bytes to copy.
(cherry picked from commit 8c2d61e0e916e077fda7e7b8e67f25ffe0f361fc)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 270172f64b114451876c1b68912653e72ab99f38 < 7257cc6644d540130a46a61531a07a0517cace89 | affected |
| Linux | Linux | 270172f64b114451876c1b68912653e72ab99f38 < 4126cb327a2e3273c81fcef1c594c5b7b645c44c | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.16.2 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/7257cc6644d540130a46a61531a07a0517cace89
- https://git.kernel.org/stable/c/4126cb327a2e3273c81fcef1c594c5b7b645c44c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.