Bug 2492731 (CVE-2026-53171) - CVE-2026-53171 kernel: accel/ethosu: fix arithmetic issues in dma_length()
Summary: CVE-2026-53171 kernel: accel/ethosu: fix arithmetic issues in dma_length()
Keywords:
Status: NEW
Alias: CVE-2026-53171
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:02 UTC by OSIDB Bzimport
Modified: 2026-06-25 22:07 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:02:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix arithmetic issues in dma_length()

dma_length() derives DMA region usage from command stream values and
updates region_size[]:

    len = ((len + stride[0]) * size0 + stride[1]) * size1
    region_size[region] = max(..., len + dma->offset)

Several arithmetic issues can corrupt the derived region size:

- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller

region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.

Fix by validating signed additions, using overflow helpers for
multiplications and offset updates, and propagating dma_length()
failures to the caller.
Comment 1 Keith Grant 2026-06-25 22:05:03 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062552-CVE-2026-53171-acfd@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.