| Message ID | 20190529135221.4819-2-tjaalton@ubuntu.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2019-11085: drm/i915 privilege escalation via local access | expand |
On 5/29/19 3:52 PM, Timo Aaltonen wrote: > From: Zhenyu Wang <zhenyuw@linux.intel.com> > > This is to fix missed mmap range check on vGPU bar2 region > and only allow to map vGPU allocated GMADDR range, which means > user space should support sparse mmap to get proper offset for > mmap vGPU aperture. And this takes care of actual pgoff in mmap > request as original code always does from beginning of vGPU > aperture. > > Fixes: 659643f7d814 ("drm/i915/gvt/kvmgt: add vfio/mdev support to KVMGT") > Cc: "Monroy, Rodrigo Axel" <rodrigo.axel.monroy@intel.com> > Cc: "Orrala Contreras, Alfredo" <alfredo.orrala.contreras@intel.com> > Cc: stable@vger.kernel.org # v4.10+ > Reviewed-by: Hang Yuan <hang.yuan@intel.com> > Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> > > CVE-2019-11085 > > (cherry picked from commit 51b00d8509dc69c98740da2ad07308b630d3eb7d) > Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/gpu/drm/i915/gvt/kvmgt.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c > index 14dce5c201d5..8f23d1f064c6 100644 > --- a/drivers/gpu/drm/i915/gvt/kvmgt.c > +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c > @@ -940,7 +940,7 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) > { > unsigned int index; > u64 virtaddr; > - unsigned long req_size, pgoff = 0; > + unsigned long req_size, pgoff, req_start; > pgprot_t pg_prot; > struct intel_vgpu *vgpu = mdev_get_drvdata(mdev); > > @@ -958,7 +958,17 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) > pg_prot = vma->vm_page_prot; > virtaddr = vma->vm_start; > req_size = vma->vm_end - vma->vm_start; > - pgoff = vgpu_aperture_pa_base(vgpu) >> PAGE_SHIFT; > + pgoff = vma->vm_pgoff & > + ((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1); > + req_start = pgoff << PAGE_SHIFT; > + > + if (!intel_vgpu_in_aperture(vgpu, req_start)) > + return -EINVAL; > + if (req_start + req_size > > + vgpu_aperture_offset(vgpu) + vgpu_aperture_sz(vgpu)) > + return -EINVAL; > + > + pgoff = (gvt_aperture_pa_base(vgpu->gvt) >> PAGE_SHIFT) + pgoff; > > return remap_pfn_range(vma, virtaddr, pgoff, req_size, pg_prot); > } >
On 2019-05-29 16:52:21, Timo Aaltonen wrote: > From: Zhenyu Wang <zhenyuw@linux.intel.com> > > This is to fix missed mmap range check on vGPU bar2 region > and only allow to map vGPU allocated GMADDR range, which means > user space should support sparse mmap to get proper offset for > mmap vGPU aperture. And this takes care of actual pgoff in mmap > request as original code always does from beginning of vGPU > aperture. > > Fixes: 659643f7d814 ("drm/i915/gvt/kvmgt: add vfio/mdev support to KVMGT") > Cc: "Monroy, Rodrigo Axel" <rodrigo.axel.monroy@intel.com> > Cc: "Orrala Contreras, Alfredo" <alfredo.orrala.contreras@intel.com> > Cc: stable@vger.kernel.org # v4.10+ > Reviewed-by: Hang Yuan <hang.yuan@intel.com> > Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> > > CVE-2019-11085 > > (cherry picked from commit 51b00d8509dc69c98740da2ad07308b630d3eb7d) > Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Thanks! Tyler > --- > drivers/gpu/drm/i915/gvt/kvmgt.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c > index 14dce5c201d5..8f23d1f064c6 100644 > --- a/drivers/gpu/drm/i915/gvt/kvmgt.c > +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c > @@ -940,7 +940,7 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) > { > unsigned int index; > u64 virtaddr; > - unsigned long req_size, pgoff = 0; > + unsigned long req_size, pgoff, req_start; > pgprot_t pg_prot; > struct intel_vgpu *vgpu = mdev_get_drvdata(mdev); > > @@ -958,7 +958,17 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) > pg_prot = vma->vm_page_prot; > virtaddr = vma->vm_start; > req_size = vma->vm_end - vma->vm_start; > - pgoff = vgpu_aperture_pa_base(vgpu) >> PAGE_SHIFT; > + pgoff = vma->vm_pgoff & > + ((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1); > + req_start = pgoff << PAGE_SHIFT; > + > + if (!intel_vgpu_in_aperture(vgpu, req_start)) > + return -EINVAL; > + if (req_start + req_size > > + vgpu_aperture_offset(vgpu) + vgpu_aperture_sz(vgpu)) > + return -EINVAL; > + > + pgoff = (gvt_aperture_pa_base(vgpu->gvt) >> PAGE_SHIFT) + pgoff; > > return remap_pfn_range(vma, virtaddr, pgoff, req_size, pg_prot); > } > -- > 2.20.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index 14dce5c201d5..8f23d1f064c6 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -940,7 +940,7 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) { unsigned int index; u64 virtaddr; - unsigned long req_size, pgoff = 0; + unsigned long req_size, pgoff, req_start; pgprot_t pg_prot; struct intel_vgpu *vgpu = mdev_get_drvdata(mdev); @@ -958,7 +958,17 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma) pg_prot = vma->vm_page_prot; virtaddr = vma->vm_start; req_size = vma->vm_end - vma->vm_start; - pgoff = vgpu_aperture_pa_base(vgpu) >> PAGE_SHIFT; + pgoff = vma->vm_pgoff & + ((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1); + req_start = pgoff << PAGE_SHIFT; + + if (!intel_vgpu_in_aperture(vgpu, req_start)) + return -EINVAL; + if (req_start + req_size > + vgpu_aperture_offset(vgpu) + vgpu_aperture_sz(vgpu)) + return -EINVAL; + + pgoff = (gvt_aperture_pa_base(vgpu->gvt) >> PAGE_SHIFT) + pgoff; return remap_pfn_range(vma, virtaddr, pgoff, req_size, pg_prot); }