Received: by 2002:ab2:3c46:0:b0:1f5:f2ab:c469 with SMTP id x6csp9287lqf; Thu, 25 Apr 2024 19:31:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXoA51bs0TWoiCY0kw5S4u2df/9WP6PlaOlFgAu+s/m8yrMKKsWJPntp6qzjEDQn++nOde/y8uDzJ5fBThcv2gnpeL+czPwGO4r1dK6Eg== X-Google-Smtp-Source: AGHT+IEQpzN13RKnioGPtqV4CGS49G5jaHosjLcU7EbbDFi76BMFwxcRkiPJvOi73rsRTv7Rsbdp X-Received: by 2002:a05:6a20:f39d:b0:1aa:9310:e83a with SMTP id qr29-20020a056a20f39d00b001aa9310e83amr1674557pzb.6.1714098674674; Thu, 25 Apr 2024 19:31:14 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714098674; cv=pass; d=google.com; s=arc-20160816; b=KltESLycJgIu2pmGee6jbKj9nyKXEolrFqnvsTqbL+nBG3oANFBgXSQscTawnN9ltK 0dJ9P0daU2F29WxiMQJg4dSYhAA669OSrow/QuaF+heJ/fkk3PhlD8XhK84ATsTIL5mp r6YWASYPQ6UjvUnJ4n9xhCrQr/VuNiOv1OTBTRWmbI5ahO1xxGEeUBsLlBstU4S0K58d 9Y2iat4Cy7zdOafpw8n2+Lr39eW4vVU6nwNYNFaMkszPSTSxDEe0dBqsfirOeoVBX8or BRmbDkCzMqQ2j1eEUIa0isE8elQxrtqKesaAkGfiFwL8q8ht/CCnZem64tFlDwSDPxGN saNw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=ra+gBoWOeuJuI+Ezc3sgY9mFyzgfI39aGWs6cfLFtkw=; fh=taFB0WZ4FGJ72sxOxsd5mdMuuLl5OJnXHVsfHCOwZfk=; b=xs/3z4xC7eGzVmvXndP7Dk49ln+CCiWgR27PL7jQMNzVq8UbLBHLJfxnnWwlVTPDkK 7LOgHBD2fdRFiQB3u1bw5s3ilyasTNCg9rQ8e8nAW5LKE7/k///In+sKO2ak0s1emQ/p LLJVGPIZhtMPI/QBk6rp3Yegbm1Pruy9qNCP8J3VfKSS180Djsrk94FdnfzG3jxsullG PpsZX1Jdj5nDyvtx/t9hDrKZU/kkT4oeoNbF9L8k5BhrSPKHpr2ZLl2eis7zuggAfsgs hii5Dw4uNeA+BDFa2kxogrAUSLuqRGXR2y/qerYAbj2+UOjttvIxDNrI9CGJs7BtPmXN ICXA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=YVZ0RW8b; arc=pass (i=1 dkim=pass dkdomain=broadcom.com dmarc=pass fromdomain=broadcom.com); spf=pass (google.com: domain of linux-kernel+bounces-159204-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159204-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id e2-20020a170902784200b001e9219222b3si10470419pln.271.2024.04.25.19.31.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 19:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159204-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=YVZ0RW8b; arc=pass (i=1 dkim=pass dkdomain=broadcom.com dmarc=pass fromdomain=broadcom.com); spf=pass (google.com: domain of linux-kernel+bounces-159204-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159204-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id D814FB2128A for ; Thu, 25 Apr 2024 21:24:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CDEAD15572C; Thu, 25 Apr 2024 21:24:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="YVZ0RW8b" Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 525EB1553B9 for ; Thu, 25 Apr 2024 21:24:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714080270; cv=none; b=ClYG0IpaVzXP7XSQhl6JLTKW/aAFDvz6IK9/8yHOISkKyq58daVEWHRIlwRjS9unR9AEJV7jfygvBBCNNRrxaiu7FoC8yYues7nhRZCquvehBKXukSh+NPWy7donI/4KWyeWfRB851eQ1EyITrZJIj8PEx4AafEBZ62yE4A+JVw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714080270; c=relaxed/simple; bh=7hgElzkGGU4LOW+W09DF7A1KIdz9b4uk5d/lmNS5l4g=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=NJ4YjMTHM+PHb8ubXvASz6wZFrbmL6/eHuTufJ4jd8PSsknRlYdcKuCtNLje/GBbANPF0x758+33pPmnTsp59Gfa8qHvR/FhwS/qMDQ/59qhY9WzawV8xYxD2q4lWErKaf6IXLFqep57xUD3BSNSXo2TNJ4f5qP1ANc/TqLtd0k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=YVZ0RW8b; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6eddff25e4eso1356268b3a.3 for ; Thu, 25 Apr 2024 14:24:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1714080267; x=1714685067; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=ra+gBoWOeuJuI+Ezc3sgY9mFyzgfI39aGWs6cfLFtkw=; b=YVZ0RW8b2YU0w5ikFhI1oKRO3CtsVJwztxuMBahCWDlEkk6G/7C11aeFzT41+UfbGO 2uwbJ+4PQUCXyHzAkJSuciA8R6d7Yp/QaolOsZgKPZwNicVY/YaRMOnvR91q8P+Slw4H WQsZluYKYrl9m2Uj2PVX24FnSGaIUn9pp+2L8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714080267; x=1714685067; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ra+gBoWOeuJuI+Ezc3sgY9mFyzgfI39aGWs6cfLFtkw=; b=dnuNrCjND/XYhPRfi/jul/OBIYEu1Kg5+DFE7ocsy9AQ41PaZgFtmppwUx5Mew5Szx PuPWTS/xqnUQ+yDKWY5pgG7SG8He2XOCmYhVcdGLfkzLMq+ghvK4iq/hVBManahyJHIW 1mDqn2nSvBLlGDVv5Bp6nRTce2N1k95Bk6P+s8N7eX64Am9XvRDQ0Yynbz7xBjtMdTFp HNLPJpI1SOxc+eznAyABXw/2Ef0XbPmbeFvwojaEdbgQog4syClaVjZB0oS7xPVP2wSd AfQxMQgvWbO6esjIxu+Jsm1NgpkIbGWhdNRSN12ya7XinakA/raxrLazdAfiEHW69eJE YDDQ== X-Forwarded-Encrypted: i=1; AJvYcCUWDIiaK5oeTO/WVQrDZyEP8RqVrIpl94Jy0S87FOErMzf/oli0C0NSwtxbTf6qJh6MplK4zHpZAooIe6N9KsacM5ZfsrWp9xKaPJMg X-Gm-Message-State: AOJu0YwpjRtyKmPgHghzCNsxUJMEoj1eVfNJKXTrCScFViz8CBYZmkjg M9rA15JYnaUUHSYALu3opJJz5UqeLPy9KnhFrBMjTm+ScLjv81xQ86QCP/N7BA== X-Received: by 2002:a05:6a20:d41f:b0:1aa:9c29:b98d with SMTP id il31-20020a056a20d41f00b001aa9c29b98dmr968628pzb.24.1714080267556; Thu, 25 Apr 2024 14:24:27 -0700 (PDT) Received: from [10.211.41.59] ([66.170.99.2]) by smtp.gmail.com with ESMTPSA id b1-20020a170902d50100b001e2b8c91f04sm14230143plg.22.2024.04.25.14.24.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 Apr 2024 14:24:27 -0700 (PDT) Message-ID: Date: Thu, 25 Apr 2024 14:24:25 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] drm/vmwgfx: Fix invalid reads in fence signaled events To: Zack Rusin , dri-devel@lists.freedesktop.org Cc: Broadcom internal kernel review list , ian.forbes@broadcom.com, martin.krastev@broadcom.com, zdi-disclosures@trendmicro.com, David Airlie , Daniel Vetter , linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20240425192748.1761522-1-zack.rusin@broadcom.com> From: Maaz Mombasawala Content-Language: en-US In-Reply-To: <20240425192748.1761522-1-zack.rusin@broadcom.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 4/25/24 12:27, Zack Rusin wrote: > Correctly set the length of the drm_event to the size of the structure > that's actually used. > > The length of the drm_event was set to the parent structure instead of > to the drm_vmw_event_fence which is supposed to be read. drm_read > uses the length parameter to copy the event to the user space thus > resuling in oob reads. > > Signed-off-by: Zack Rusin > Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") > Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566 > Cc: David Airlie > CC: Daniel Vetter > Cc: Zack Rusin > Cc: Broadcom internal kernel review list > Cc: dri-devel@lists.freedesktop.org > Cc: linux-kernel@vger.kernel.org > Cc: # v3.4+ > --- > drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c > index 2a0cda324703..5efc6a766f64 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c > @@ -991,7 +991,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, > } > > event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; > - event->event.base.length = sizeof(*event); > + event->event.base.length = sizeof(event->event); > event->event.user_data = user_data; > > ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); LGTM! Reviewed-by: Maaz Mombasawala Thanks, Maaz Mombasawala