Received: by 2002:ab2:3c46:0:b0:1f5:f2ab:c469 with SMTP id x6csp123983lqf; Fri, 26 Apr 2024 01:21:09 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUPBA8w1PEBfS0DI0+0VKfWjpqxhKLtXtcfUr7AxsCyjTjg6H6bKVHCS8lMDE36T3IsiL+vfSJ2Sltlek9o55snNuOR5yrVuQ+dt1aOdw== X-Google-Smtp-Source: AGHT+IEZh8pzUXsFb9fqIkNvpcrgbmTshZymOs3xXHDSdk1mSIa0Obqgr6OPJBrJ1864Eq9cpNYU X-Received: by 2002:a17:906:4952:b0:a58:a283:839e with SMTP id f18-20020a170906495200b00a58a283839emr1458374ejt.20.1714119669483; Fri, 26 Apr 2024 01:21:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714119669; cv=pass; d=google.com; s=arc-20160816; b=zWBAy73A0x53l1+qPM0G4i2gdf1DX7R+84lJCroOtMG5niN4zMmxnGhN4gTvsST1s5 HoxD3D7X6SkvE9fKEon7202S7AD6x64Icm1xeqDsKXmeBkEAJTXcd+TTm6ly2ECRgQ0r ojGX9UdgKaZuc4yoHjflEnMhw5GnMmbzXaDpQRcAuTroyZh+HfdzkntvjDKVTgasRJ4N jTviaqAG/p0SQ2gjrThECpVXly4XODtKLSlVjA6vVSlYSO5RLNr1OSwWbneFF5OtGh2d DY3oPY2zEZwzgkuA/46QlOQF+tW+ApXCBZ7L/p22Yt5px2QlVkhpsfPMcFFln6xTk9/D nRzQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=DOO+Oxe5RqdUN11iHoDt4ydzdK+8AI7NsGcbenw3d/A=; fh=h/pd1PvwySSWQnXiH8OwfGxdSk2sMs8MBSHdPtuLDv0=; b=JMDlxYJvmlTp15LfeAo7ZP3q/vkJdyabTKITFTIEhzrdtEyKGI2gtUfD257SikCmcE nX3q8eHN8Ic+2qVLyqQ3YPz/D6mE0HgbraOu0/cwN4MwrmeRDM+enpJupB3sJZgi0fbV 5T3Z7SHM7NBgM2mgOxslNMaxzmZ+UvxkvMU2bNSH1cT5i9A8TF+arB1HSHaSAIJBIh0u fFULV0XcOK6nkM2UlIUwxVn2ZrlZ1c4GzsheuGApub820fHW7Z4QAOJLz3V95TGuM05n NA4JBdE1eSvSYfQDKf3WVfjx+vzB5TmfjLotaWFiNQC1RmsUxIBILIAQZ18Y0R1gSg8i uA+Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=UAx6Ppw6; arc=pass (i=1 dkim=pass dkdomain=broadcom.com dmarc=pass fromdomain=broadcom.com); spf=pass (google.com: domain of linux-kernel+bounces-159686-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159686-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id b26-20020a170906d11a00b00a587844b440si4726518ejz.598.2024.04.26.01.21.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Apr 2024 01:21:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159686-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=UAx6Ppw6; arc=pass (i=1 dkim=pass dkdomain=broadcom.com dmarc=pass fromdomain=broadcom.com); spf=pass (google.com: domain of linux-kernel+bounces-159686-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159686-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 378F11F22596 for ; Fri, 26 Apr 2024 08:21:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8E33713C9A0; Fri, 26 Apr 2024 08:21:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="UAx6Ppw6" Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4984713C912 for ; Fri, 26 Apr 2024 08:20:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714119660; cv=none; b=r0Ow9JUibhGHncJzOpYGg/U1PqgOgYaAe84DDxAwGtPYaKdNqrZWK8WgSgszj2RtyzcYIw6nI6qB9O5ZpXAx1bKBuSBWYsDpwPRQ+/ws4g0ep5SQ8k/lmjzLReanrfh63BV4XJaCLherde76KigSYoiFaY6XaRJpZmm60tjsBvs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714119660; c=relaxed/simple; bh=2QwY/idrWWstb2VS57g5qy6TKTu8YrTelcs1NllY2gE=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=N//KBj/5egqjgxB8EtatLHycyPB3C57u2XoS37AAZAsryvVn8Etz/xvc7OkesGCPUBwwsqdQbe/5HvlM/v9pkmpFlSfrSxWsUVsZoGhE0vB5HXRZVxhb9h8HnWRe5GscFMS3C8Yz8C08lXERtpPPbEdQKEKFBMPtUtgpFACnUhY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=UAx6Ppw6; arc=none smtp.client-ip=209.85.166.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Received: by mail-io1-f54.google.com with SMTP id ca18e2360f4ac-7d9c2096c29so84712539f.0 for ; Fri, 26 Apr 2024 01:20:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1714119658; x=1714724458; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DOO+Oxe5RqdUN11iHoDt4ydzdK+8AI7NsGcbenw3d/A=; b=UAx6Ppw6A4wbEg9mFet1cI+rY5Tkj7+1UuOPcHdJWHNQR/sdpDoU0fy0F8Y24/QO6T siItHpR3P6Zt7A49GVrqLiJ1UorbTJNshGX86IGrwEKO5olBKed3/+vr6sm1KBLIgxZ+ DFs4/V7An5HuM0NI75thEJSwWYnltF0liD+yU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714119658; x=1714724458; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DOO+Oxe5RqdUN11iHoDt4ydzdK+8AI7NsGcbenw3d/A=; b=sLHwr3CqFSJzqOFpCCrxilYN6SDU176zc0m+wKMTnVtrKUewBfRR8yME1NjPHl8fYU bI6ty3zbICFl24h7Zxp8nAHL30HKZeM+uA6mQxVjnQAzYGD6Y/wsXcXFF6zz3ahnS0f5 3Qkb0PsxF7n6qYNKbRKOQUJQb9akXyKvKCTzjoHSb33oXVRO6+0uUMTtZU4vSe6ruE6y eluaXL6ONz0468l7jGsThKpROmK/rHWhzKIMB4VFpsbEU2xH6+7JTXpdpEt+LWZLXjH9 E8woI8DKR/BVRStnBDZfpArJhm6WWsYwTQfYGbcBinL/uIoXbCMYZ8ojgHZczGazjyvJ hoXg== X-Forwarded-Encrypted: i=1; AJvYcCUHgLCX4MEJDo+Ys9DcHiCk2hxikh30z4rEQ3t7QujIERo51xUnzJbfLDpGVykZujTvOTbFwSm6c3U4p55c0aMUYbNX8PTT80sZouya X-Gm-Message-State: AOJu0YwRX+8ckw7QKq8Gk370TLWrbVbNc0CV5DXxYC4SwAKln9wzVLWL +gsfDEiwYsbGfZctwlk3X11Aa6thrZR3pD6x6NQKrhwSypVXUHiGDaAcgpPPDNSnN8WPb8dOTUs 697R9BTIiuvGRgYJxaEhtevNIAhqQ/+X+QO5R X-Received: by 2002:a05:6602:f11:b0:7de:9c6b:79de with SMTP id hl17-20020a0566020f1100b007de9c6b79demr2387497iob.14.1714119658470; Fri, 26 Apr 2024 01:20:58 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240425192748.1761522-1-zack.rusin@broadcom.com> In-Reply-To: <20240425192748.1761522-1-zack.rusin@broadcom.com> From: Martin Krastev Date: Fri, 26 Apr 2024 11:20:47 +0300 Message-ID: Subject: Re: [PATCH] drm/vmwgfx: Fix invalid reads in fence signaled events To: Zack Rusin Cc: dri-devel@lists.freedesktop.org, Broadcom internal kernel review list , ian.forbes@broadcom.com, maaz.mombasawala@broadcom.com, zdi-disclosures@trendmicro.com, David Airlie , Daniel Vetter , linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable LGTM! Reviewed-by: Martin Krastev Regards, Martin On Thu, Apr 25, 2024 at 10:27=E2=80=AFPM Zack Rusin wrote: > > Correctly set the length of the drm_event to the size of the structure > that's actually used. > > The length of the drm_event was set to the parent structure instead of > to the drm_vmw_event_fence which is supposed to be read. drm_read > uses the length parameter to copy the event to the user space thus > resuling in oob reads. > > Signed-off-by: Zack Rusin > Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") > Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566 > Cc: David Airlie > CC: Daniel Vetter > Cc: Zack Rusin > Cc: Broadcom internal kernel review list > Cc: dri-devel@lists.freedesktop.org > Cc: linux-kernel@vger.kernel.org > Cc: # v3.4+ > --- > drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwg= fx/vmwgfx_fence.c > index 2a0cda324703..5efc6a766f64 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c > @@ -991,7 +991,7 @@ static int vmw_event_fence_action_create(struct drm_f= ile *file_priv, > } > > event->event.base.type =3D DRM_VMW_EVENT_FENCE_SIGNALED; > - event->event.base.length =3D sizeof(*event); > + event->event.base.length =3D sizeof(event->event); > event->event.user_data =3D user_data; > > ret =3D drm_event_reserve_init(dev, file_priv, &event->base, &eve= nt->event.base); > -- > 2.40.1 >