* [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()
@ 2023-03-01 16:07 ` Thomas Zimmermann
0 siblings, 0 replies; 4+ messages in thread
From: Thomas Zimmermann @ 2023-03-01 16:07 UTC (permalink / raw)
To: zackr, linux-graphics-maintainer, airlied, daniel
Cc: dri-devel, Thomas Zimmermann, stable
There have been reports [1][2] that vmw_cmd_dx_define_query() can
be called with ctx_node->ctx set to NULL, which results in undefined
behavior in vmw_context_cotable(). Avoid this be returning an errno
code.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 6b9aa2b4ef54..1e90362add96 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv,
struct vmw_resource *cotable_res;
int ret;
- if (!ctx_node)
+ if (!ctx_node || !ctx_node->ctx)
return -EINVAL;
cmd = container_of(header, typeof(*cmd), header);
--
2.39.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()
@ 2023-03-01 16:07 ` Thomas Zimmermann
0 siblings, 0 replies; 4+ messages in thread
From: Thomas Zimmermann @ 2023-03-01 16:07 UTC (permalink / raw)
To: zackr, linux-graphics-maintainer, airlied, daniel
Cc: stable, Thomas Zimmermann, dri-devel
There have been reports [1][2] that vmw_cmd_dx_define_query() can
be called with ctx_node->ctx set to NULL, which results in undefined
behavior in vmw_context_cotable(). Avoid this be returning an errno
code.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 6b9aa2b4ef54..1e90362add96 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv,
struct vmw_resource *cotable_res;
int ret;
- if (!ctx_node)
+ if (!ctx_node || !ctx_node->ctx)
return -EINVAL;
cmd = container_of(header, typeof(*cmd), header);
--
2.39.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()
2023-03-01 16:07 ` Thomas Zimmermann
@ 2023-03-01 21:50 ` Zack Rusin
-1 siblings, 0 replies; 4+ messages in thread
From: Zack Rusin @ 2023-03-01 21:50 UTC (permalink / raw)
To: daniel, Linux-graphics-maintainer, airlied, tzimmermann; +Cc: stable, dri-devel
On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
> There have been reports [1][2] that vmw_cmd_dx_define_query() can
> be called with ctx_node->ctx set to NULL, which results in undefined
> behavior in vmw_context_cotable(). Avoid this be returning an errno
> code.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 6b9aa2b4ef54..1e90362add96 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private
> *dev_priv,
> struct vmw_resource *cotable_res;
> int ret;
>
> - if (!ctx_node)
> + if (!ctx_node || !ctx_node->ctx)
> return -EINVAL;
I've seen this report, but never a poc that could reproduce it. This should never
happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to
just figure out how it's uninitialised instead of just checking for something that
should be impossible but without a reproducible test that's difficult.
z
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()
@ 2023-03-01 21:50 ` Zack Rusin
0 siblings, 0 replies; 4+ messages in thread
From: Zack Rusin @ 2023-03-01 21:50 UTC (permalink / raw)
To: daniel, Linux-graphics-maintainer, airlied, tzimmermann; +Cc: dri-devel, stable
On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
> There have been reports [1][2] that vmw_cmd_dx_define_query() can
> be called with ctx_node->ctx set to NULL, which results in undefined
> behavior in vmw_context_cotable(). Avoid this be returning an errno
> code.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 6b9aa2b4ef54..1e90362add96 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private
> *dev_priv,
> struct vmw_resource *cotable_res;
> int ret;
>
> - if (!ctx_node)
> + if (!ctx_node || !ctx_node->ctx)
> return -EINVAL;
I've seen this report, but never a poc that could reproduce it. This should never
happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to
just figure out how it's uninitialised instead of just checking for something that
should be impossible but without a reproducible test that's difficult.
z
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-03-01 21:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-01 16:07 [PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query() Thomas Zimmermann
2023-03-01 16:07 ` Thomas Zimmermann
2023-03-01 21:50 ` Zack Rusin
2023-03-01 21:50 ` Zack Rusin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.