[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/trace/events/dma.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"038eb433dc1474c4bc7d33188294e3d4778efdfd","lessThan":"02d209bb018a40dee9eac89e91860253dee9605b","versionType":"git","status":"affected"},{"version":"038eb433dc1474c4bc7d33188294e3d4778efdfd","lessThan":"f2584f791a10343bdc995ff6ff402db45b95de69","versionType":"git","status":"affected"},{"version":"038eb433dc1474c4bc7d33188294e3d4778efdfd","lessThan":"daafcc0ef0b358d9d622b6e3b7c43767aa3814ee","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/trace/events/dma.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","versionType":"semver","status":"unaffected"},{"version":"6.12.74","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.13","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787

OR
          *cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.13
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.1 up to (excluding) 6.12.74

kernel.org: https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b Types: Patch

kernel.org: https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee Types: Patch

kernel.org: https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69 Types: Patch

In the Linux kernel, the following vulnerability has been resolved:

tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow

The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:

  phys_addrs: 1000 * 8 bytes = 8,000 bytes
  dma_addrs:  1000 * 8 bytes = 8,000 bytes
  lengths:    1000 * 4 bytes = 4,000 bytes
  Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

  WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
  perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at 128 entries using min() in the array
size calculation. This ensures arrays are only as large as needed
(up to the cap), avoiding unnecessary memory allocation for small
operations while preventing overflow for large ones.

The tracepoint now records the full nents/ents counts and a truncated
flag so users can see when data has been capped.

Changes in v2:
- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing
  instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from
  Steven Rostedt)
- This allocates only what's needed up to the cap, avoiding waste
  for small operations

Reviwed-by: Sean Anderson <[email protected]>

https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b

https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee

https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69