From patchwork Thu Jun 22 15:28:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Bader X-Patchwork-Id: 779572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3wtlpn1vWbz9sNV; Fri, 23 Jun 2017 01:28:33 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1dO422-0005dQ-FV; Thu, 22 Jun 2017 15:28:30 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1dO41o-0005Zp-7i for kernel-team@lists.ubuntu.com; Thu, 22 Jun 2017 15:28:16 +0000 Received: from 1.general.smb.uk.vpn ([10.172.193.28] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dO41n-0007N8-SU for kernel-team@lists.ubuntu.com; Thu, 22 Jun 2017 15:28:15 +0000 From: Stefan Bader To: kernel-team@lists.ubuntu.com Subject: [PATCH Trusty] drm/vmwgfx: Make sure backup_handle is always valid Date: Thu, 22 Jun 2017 17:28:13 +0200 Message-Id: <1498145294-7974-2-git-send-email-stefan.bader@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1498145294-7974-1-git-send-email-stefan.bader@canonical.com> References: <1498145294-7974-1-git-send-email-stefan.bader@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Sinclair Yeh When vmw_gb_surface_define_ioctl() is called with an existing buffer, we end up returning an uninitialized variable in the backup_handle. The fix is to first initialize backup_handle to 0 just to be sure, and second, when a user-provided buffer is found, we will use the req->buffer_handle as the backup_handle. Cc: Reported-by: Murray McAllister Signed-off-by: Sinclair Yeh Reviewed-by: Deepak Rawat CVE-2017-9605 (backported from commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c) Signed-off-by: Stefan Bader Acked-by: Colin Ian King Acked-by: Thadeu Lima de Souza Cascardo --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 8a98b88..9593df6 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -1178,7 +1178,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, uint32_t size; struct vmw_master *vmaster = vmw_master(file_priv->master); const struct svga3d_surface_desc *desc; - uint32_t backup_handle; + uint32_t backup_handle = 0; if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) return -EINVAL; @@ -1247,6 +1247,17 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, if (req->buffer_handle != SVGA3D_INVALID_ID) { ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle, &res->backup); + if (ret == 0) { + if (res->backup->base.num_pages * PAGE_SIZE < + res->backup_size) { + DRM_ERROR("Surface backup buffer is too small.\n"); + vmw_dmabuf_unreference(&res->backup); + ret = -EINVAL; + goto out_unlock; + } + } else { + backup_handle = req->buffer_handle; + } } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer) ret = vmw_user_dmabuf_alloc(dev_priv, tfile,