From patchwork Tue May 21 08:25:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Hellstrom X-Patchwork-Id: 10953159 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4476B924 for ; Tue, 21 May 2019 08:25:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 35BE3205A4 for ; Tue, 21 May 2019 08:25:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 29EB62880B; Tue, 21 May 2019 08:25:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D797828841 for ; Tue, 21 May 2019 08:25:08 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id DBB3F891C2; Tue, 21 May 2019 08:25:07 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05on0628.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe51::628]) by gabe.freedesktop.org (Postfix) with ESMTPS id 5B92B891C2 for ; Tue, 21 May 2019 08:25:07 +0000 (UTC) Received: from MN2PR05MB6141.namprd05.prod.outlook.com (20.178.241.217) by MN2PR05MB6384.namprd05.prod.outlook.com (20.178.246.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.12; Tue, 21 May 2019 08:25:05 +0000 Received: from MN2PR05MB6141.namprd05.prod.outlook.com ([fe80::c19e:e8f8:b151:9ad]) by MN2PR05MB6141.namprd05.prod.outlook.com ([fe80::c19e:e8f8:b151:9ad%6]) with mapi id 15.20.1922.013; Tue, 21 May 2019 08:25:05 +0000 From: Thomas Hellstrom To: "dri-devel@lists.freedesktop.org" Subject: [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Thread-Topic: [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Thread-Index: AQHVD66xyjyjvStMIUOjtPqDr9K8bw== Date: Tue, 21 May 2019 08:25:05 +0000 Message-ID: <20190521082345.27286-6-thellstrom@vmware.com> References: <20190521082345.27286-1-thellstrom@vmware.com> In-Reply-To: <20190521082345.27286-1-thellstrom@vmware.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: VI1PR08CA0156.eurprd08.prod.outlook.com (2603:10a6:800:d5::34) To MN2PR05MB6141.namprd05.prod.outlook.com (2603:10b6:208:c7::25) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-originating-ip: [155.4.205.35] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2a34fde9-80ea-481a-5841-08d6ddc5d385 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:MN2PR05MB6384; x-ms-traffictypediagnostic: MN2PR05MB6384: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3044; x-forefront-prvs: 0044C17179 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(396003)(376002)(346002)(39860400002)(199004)(189003)(25786009)(6116002)(8676002)(305945005)(14454004)(5660300002)(3846002)(476003)(54906003)(11346002)(81156014)(26005)(486006)(81166006)(256004)(14444005)(68736007)(76176011)(71200400001)(8936002)(7736002)(6916009)(1076003)(478600001)(2616005)(446003)(71190400001)(66476007)(66556008)(64756008)(66446008)(73956011)(36756003)(6512007)(86362001)(66946007)(2906002)(66066001)(186003)(53936002)(52116002)(50226002)(316002)(4326008)(2501003)(102836004)(386003)(6506007)(99286004)(5640700003)(6436002)(2351001)(107886003)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR05MB6384; H:MN2PR05MB6141.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: sOyVqlotRN14VebJm8ZawPg/YnOKe6MKBRfNcHUnUvh4Ja/tdA70A2wuhlaKu4IwkCR8gg+UBt2cLyhFv+b9ArSkZXlg9YqTzaaZy6qcNpsRRtaaq7iBFpk2TiAWiDgL8yyGCp6qmaouPOLrCtFZIg/upONlHeZ2bvtj7BwunPAzkDwcENBC2B/27iavHzDJ++ysBseknR0arCp2TypngRQb2JFwmN/CX1gY9drxUgIgH8SC7GrC8BpXMLjrSBbS8WuNj9dJ7SGEnDo+zwkDCymlgIg6veWpkoaSISe114PS710+caEcJBARmTcHay3L+aAwsmKNUrkV2pPZgqQpziCvUPrO5VC8opbyTyCHI3WN71WNyhS4+V2TNPs53RD4upuDGcgYqnl/GdOM9CldzcyxXScGXHHJsK13zxt5tbU= MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a34fde9-80ea-481a-5841-08d6ddc5d385 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2019 08:25:05.0578 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: thellstrom@vmware.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6384 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yU/e3nnsYZKhs5ZFwWRintMu6fsB820PHLUcXUtlbPs=; b=b+ny0b+oTz1aWnMh0lnazd8wZilY7K+rSrk3r2+MWSgg0F/mLIpCTEfJ8D42iFf0UhpOrcwUcNmSdbWVXIjm03uxxIhy4ArfZ9DKXqm2sN6Prsh//LlAbOiECltlkd8/rezlzuVZW7JAHkGguaf0MlPRcC7TuLHotNLzuYKV7RQ= X-Mailman-Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=thellstrom@vmware.com; X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Murray McAllister , Thomas Hellstrom , "stable@vger.kernel.org" Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Murray McAllister If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID of SVGA3D_INVALID_ID, and a shader type of SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc() when the offset is calculated. Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index b4c7553d2814..33533d126277 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2206,7 +2206,8 @@ static int vmw_cmd_dx_set_shader(struct vmw_private *dev_priv, cmd = container_of(header, typeof(*cmd), header); - if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX) { + if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX || + cmd->body.type < SVGA3D_SHADERTYPE_MIN) { VMW_DEBUG_USER("Illegal shader type %u.\n", (unsigned int) cmd->body.type); return -EINVAL;