Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2621281lqo; Tue, 14 May 2024 04:40:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWFtZDAgwYIWEGuQqxTj9wHfEwLl7Hm027OoZ+xNvyd35XTslwQs2b4taM22ki0atCsA2OMiF7ZvNTNRqJV6cPt0y/YmXRpgagErlGDtw== X-Google-Smtp-Source: AGHT+IFHJQPbQ1kliVq34EOSQMgBIKWaLKVF6SsUow86EnJCBiVhVRdFGVw92gPcoww4krKa724R X-Received: by 2002:a17:906:a889:b0:a5a:54ca:5bf9 with SMTP id a640c23a62f3a-a5a54ca5c5bmr579365566b.64.1715686811022; Tue, 14 May 2024 04:40:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715686811; cv=pass; d=google.com; s=arc-20160816; b=fBsTTgrO7ajJz0MmP52JWgxLBB9hsk1LfcCsFxxO0P/sKAIlfSOGmSslrL56RBATUx egAellmZZ3lH2tX/g0rCLysOaibHu4GBN6+7Cmc7fFr8L3IOjYA9r5XtAIAhdHNlXggF 1CSlXdd7TlOMcvCUnnaBchkHkXs3Gxin9wf/JiPBzGQmxo7weLv0zDZmQPHAGEYbBbKP EkfCWSovVU1tYBz4WRyJa9DClKy6qlta3mWmTUtDk4w3Nui+1iPRbkq/Ms9SGyQtAlxB mBZtH4Izm9XQS/aYJCqON260weYlKgIeKvb2z5kaFsFKVkoOzu0nkiyFwCiBkZT6YbO2 13Qg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=nwikpN5jRhxrXntNGw6dY4vZeNSJmZFuQ/0Io2wsn4U=; fh=Rm//mzDvQ8SndWjxU58ecjLenbm2TohOAxyHYhC4DW4=; b=qWjSz1cpwLa9wTdS4RkUbe9QzJ+X8wBXW+FWUMzsF/sV3lkF8krvDg5Vs9hm/Zd/SD Ms/2jc5LzVkCcax7h9i0fpcovM63m9GwMK1bCekMywBbDxao6SPqPv+BWJSPNFjxf5ju KqntGrXc6gQhI9Uok+cNDQ7gp+B+O8bYsFbCTnxHiU7AuJuTJviL8fUCah10M4U+uy0Q HvHhmdGvFYZxkEE3BMiUD39zDQhipnCJ39zow2j38qJopniAHEtjYAaULb53bqnf6NL0 uC+L+RFY7hyaDo44tZVhw+7tqMilFK4xHcVJfTN4GA/8/N4BvNsF1DC+Zyy8fb5NwoUO /pAA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vOI0X34R; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-178605-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178605-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a17b4c439si605328566b.461.2024.05.14.04.40.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 04:40:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178605-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vOI0X34R; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-178605-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178605-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id B71321F22BEC for ; Tue, 14 May 2024 11:40:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 216C41411F1; Tue, 14 May 2024 11:27:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="vOI0X34R" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45B004F1E5; Tue, 14 May 2024 11:27:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715686036; cv=none; b=kRC2xd59aqM+SBHmTcFbJSKBKOMBd9mlKz3V/v7x9G73JhpZwze2+tEKIPQcP3k7CzKaMfNZzrNOdY8UVh5iIh2rlfdVZVx8XzuUujA1nn3fj5w3LWLo+GBT+4d1sDL1AyGkuApyzO8EX0CBu4UqS2IPosy/gzBjdmqYanE489g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715686036; c=relaxed/simple; bh=mIEpkkY3fsKb9mL8uDhkEruO5gEVn/1RwIz+PDKz3k0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eXy4Y5q8/KeoDlPuSBAio/Xtu3N/pGx5OvbBVjEcaaVAJf6Glqa6WDGk8FuATtA119r3oac2XZEaLUmT69ZU4ncuKMHpreR0d8CeLAG9qzfBxeKQWcj4RRSISv20eJsHcEWZhX1HhcMGP4WFLLYnIyIV+vQ9bBupzucunqixaxM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=vOI0X34R; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F5FBC2BD10; Tue, 14 May 2024 11:27:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1715686036; bh=mIEpkkY3fsKb9mL8uDhkEruO5gEVn/1RwIz+PDKz3k0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vOI0X34R5H43q3+flmH3LV0lZXA+IqI6FFQs4JIKTJ+uRAMtVY+6vZyHk0451NTjI WhF1rhs37v7yQUnYSIh9VK95y0vCCGOxcvplErnLHXpODw4SAjIVREpCRP0etHjt0y 5E3aNFRbTTFjECUZm4Hvh2lf2yFSo2WncFfpS8L8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Zack Rusin , David Airlie , Daniel Vetter , Broadcom internal kernel review list , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Maaz Mombasawala , Martin Krastev , zdi-disclosures@trendmicro.com Subject: [PATCH 6.6 271/301] drm/vmwgfx: Fix invalid reads in fence signaled events Date: Tue, 14 May 2024 12:19:02 +0200 Message-ID: <20240514101042.497048157@linuxfoundation.org> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20240514101032.219857983@linuxfoundation.org> References: <20240514101032.219857983@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Zack Rusin commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c upstream. Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566 Cc: David Airlie CC: Daniel Vetter Cc: Zack Rusin Cc: Broadcom internal kernel review list Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Cc: # v3.4+ Reviewed-by: Maaz Mombasawala Reviewed-by: Martin Krastev Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack.rusin@broadcom.com Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -991,7 +991,7 @@ static int vmw_event_fence_action_create } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);