From patchwork Wed Oct 26 03:19:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zack Rusin X-Patchwork-Id: 13020104 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D1088C38A2D for ; Wed, 26 Oct 2022 03:19:47 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 74A0610E1AD; Wed, 26 Oct 2022 03:19:46 +0000 (UTC) Received: from letterbox.kde.org (letterbox.kde.org [46.43.1.242]) by gabe.freedesktop.org (Postfix) with ESMTPS id D558210E1AD for ; Wed, 26 Oct 2022 03:19:44 +0000 (UTC) Received: from vertex.vmware.com (pool-173-49-113-140.phlapa.fios.verizon.net [173.49.113.140]) (Authenticated sender: zack) by letterbox.kde.org (Postfix) with ESMTPSA id 3E0AF33EED7; Wed, 26 Oct 2022 04:19:42 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kde.org; s=users; t=1666754382; bh=rLcRBlFtnycp2Ot8P0Rw01e7OkeY9qq3dLBVts+e23k=; h=From:To:Cc:Subject:Date:From; b=MKeNxq/S6Fvjt9wheVtEdvhZOHL6x5bHrmr+4gdkWvIBwm+GB08Wha/Ef8+8pEnDg K0/S2+rSf3bwVOBDG1FAgVHnBTjyK8qb7fr5A3a1zzQjsGZFTEuDctHM3PSjKlyCII B+Blh+sywbGK8plRAjsWyQV3TGa1TfKHq5mJTKBm+i2o35aA7tnY0Dz3nrRl+xo0eQ rNvcrbFI8qjn/w8gLWoEN31eThoe/hWxajjrDZ+aTAlm9MGbSREjxojV3lqRKfscJx WFlUddVWGJdf3eHEnbSemtXBXQprSOB02bS42+QuqAmc8EPNpiKj7yzKFCZPeibRvx Fbnk0cgaDdvmA== From: Zack Rusin To: dri-devel@lists.freedesktop.org Subject: [PATCH 1/2] drm/vmwgfx: Validate the box size for the snooped cursor Date: Tue, 25 Oct 2022 23:19:35 -0400 Message-Id: <20221026031936.1004280-1-zack@kde.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Zack Rusin Cc: krastevm@vmware.com, stable@vger.kernel.org, banackm@vmware.com, mombasawalam@vmware.com Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" From: Zack Rusin Invalid userspace dma surface copies could potentially overflow the memcpy from the surface to the snooped image leading to crashes. To fix it the dimensions of the copybox have to be validated against the expected size of the snooped cursor. Signed-off-by: Zack Rusin Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") Cc: # v3.2+ Reviewed-by: Michael Banack Reviewed-by: Martin Krastev --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 0342efdf9063..d434b6ae1092 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -393,7 +393,8 @@ void vmw_kms_cursor_snoop(struct vmw_surface *srf, if (cmd->dma.guest.ptr.offset % PAGE_SIZE || box->x != 0 || box->y != 0 || box->z != 0 || box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || - box->d != 1 || box_count != 1) { + box->d != 1 || box_count != 1 || + box->w > 64 || box->h > 64) { /* TODO handle none page aligned offsets */ /* TODO handle more dst & src != 0 */ /* TODO handle more then one copy */