[PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()

[PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()

[Thomas Zimmermann]

There have been reports [1][2] that vmw_cmd_dx_define_query() can
be called with ctx_node->ctx set to NULL, which results in undefined
behavior in vmw_context_cotable(). Avoid this be returning an errno
code.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 6b9aa2b4ef54..1e90362add96 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv,
 	struct vmw_resource *cotable_res;
 	int ret;
 
-	if (!ctx_node)
+	if (!ctx_node || !ctx_node->ctx)
 		return -EINVAL;
 
 	cmd = container_of(header, typeof(*cmd), header);
-- 
2.39.2

[PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()

[Thomas Zimmermann]

There have been reports [1][2] that vmw_cmd_dx_define_query() can
be called with ctx_node->ctx set to NULL, which results in undefined
behavior in vmw_context_cotable(). Avoid this be returning an errno
code.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 6b9aa2b4ef54..1e90362add96 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv,
 	struct vmw_resource *cotable_res;
 	int ret;
 
-	if (!ctx_node)
+	if (!ctx_node || !ctx_node->ctx)
 		return -EINVAL;
 
 	cmd = container_of(header, typeof(*cmd), header);
-- 
2.39.2

Re: [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()

[Zack Rusin]

On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
> There have been reports [1][2] that vmw_cmd_dx_define_query() can
> be called with ctx_node->ctx set to NULL, which results in undefined
> behavior in vmw_context_cotable(). Avoid this be returning an errno
> code.
> 
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 6b9aa2b4ef54..1e90362add96 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private
> *dev_priv,
>         struct vmw_resource *cotable_res;
>         int ret;
>  
> -       if (!ctx_node)
> +       if (!ctx_node || !ctx_node->ctx)
>                 return -EINVAL;

I've seen this report, but never a poc that could reproduce it. This should never
happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to
just figure out how it's uninitialised instead of just checking for something that
should be impossible but without a reproducible test that's difficult.

z

Re: [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()

[Zack Rusin]

On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
> There have been reports [1][2] that vmw_cmd_dx_define_query() can
> be called with ctx_node->ctx set to NULL, which results in undefined
> behavior in vmw_context_cotable(). Avoid this be returning an errno
> code.
> 
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 6b9aa2b4ef54..1e90362add96 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private
> *dev_priv,
>         struct vmw_resource *cotable_res;
>         int ret;
>  
> -       if (!ctx_node)
> +       if (!ctx_node || !ctx_node->ctx)
>                 return -EINVAL;

I've seen this report, but never a poc that could reproduce it. This should never
happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to
just figure out how it's uninitialised instead of just checking for something that
should be impossible but without a reproducible test that's difficult.

z