CVE-2017-9605-drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch

   1 From a2285dfad4c68beb9a8376fa2a2df905319b11fa Mon Sep 17 00:00:00 2001
   2 From: Sinclair Yeh <syeh@vmware.com>
   3 Date: Thu, 22 Jun 2017 17:28:14 +0200
   4 Subject: [PATCH 3/5] drm/vmwgfx: Make sure backup_handle is always valid
   5
   6 When vmw_gb_surface_define_ioctl() is called with an existing buffer,
   7 we end up returning an uninitialized variable in the backup_handle.
   8
   9 The fix is to first initialize backup_handle to 0 just to be sure, and
  10 second, when a user-provided buffer is found, we will use the
  11 req->buffer_handle as the backup_handle.
  12
  13 Cc: <stable@vger.kernel.org>
  14 Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
  15 Signed-off-by: Sinclair Yeh <syeh@vmware.com>
  16 Reviewed-by: Deepak Rawat <drawat@vmware.com>
  17
  18 CVE-2017-9605
  19
  20 (cherry picked from commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c)
  21 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  22 Acked-by: Colin Ian King <colin.king@canonical.com>
  23 Acked-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
  24 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
  25 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  26 ---
  27  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++-------
  28  1 file changed, 11 insertions(+), 7 deletions(-)
  29
  30 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  31 index 05fa092c942b..8da50fce3b77 100644
  32 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  33 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  34 @@ -1275,7 +1275,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
  35         struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
  36         int ret;
  37         uint32_t size;
  38 -       uint32_t backup_handle;
  39 +       uint32_t backup_handle = 0;
  40
  41         if (req->multisample_count != 0)
  42                 return -EINVAL;
  43 @@ -1315,12 +1315,16 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
  44                 ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
  45                                              &res->backup,
  46                                              &user_srf->backup_base);
  47 -               if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE <
  48 -                   res->backup_size) {
  49 -                       DRM_ERROR("Surface backup buffer is too small.\n");
  50 -                       vmw_dmabuf_unreference(&res->backup);
  51 -                       ret = -EINVAL;
  52 -                       goto out_unlock;
  53 +               if (ret == 0) {
  54 +                       if (res->backup->base.num_pages * PAGE_SIZE <
  55 +                           res->backup_size) {
  56 +                               DRM_ERROR("Surface backup buffer is too small.\n");
  57 +                               vmw_dmabuf_unreference(&res->backup);
  58 +                               ret = -EINVAL;
  59 +                               goto out_unlock;
  60 +                       } else {
  61 +                               backup_handle = req->buffer_handle;
  62 +                       }
  63                 }
  64         } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer)
  65                 ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
  66 --
  67 2.11.0
  68