From patchwork Fri Sep 20 06:57:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koichiro Den X-Patchwork-Id: 1987667 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X939R542Tz1y27 for ; Fri, 20 Sep 2024 16:57:31 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1srXZx-0007RX-IK; Fri, 20 Sep 2024 06:57:21 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1srXZv-0007RO-JA for kernel-team@lists.ubuntu.com; Fri, 20 Sep 2024 06:57:19 +0000 Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 41E6B3F078 for ; Fri, 20 Sep 2024 06:57:19 +0000 (UTC) Received: by mail-pf1-f200.google.com with SMTP id d2e1a72fcca58-718d6ad6105so3106443b3a.1 for ; Thu, 19 Sep 2024 23:57:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726815437; x=1727420237; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LVIiUEnEh/3RgTpogeXmCf0+jB/XRoxK+D/WZl50s3Y=; b=Z5CTvMKb5qnKLLunYAXnPb6iPJbf7kh1dbqfPz81zar1YuO8gvuUEnxbQLoeFhHVBH hc9FPe0QmxAc9Wyeh9q1FzBQWzhJtd54xtIWxcqXPITN9+BkaUbTBWeAQlvMr/wtE90J R9QcDb1ljwIr9u5rEbS1OdS/9MhDpKL1r+GfTOuVIzN36aYS0LtN+Z0GqVEYVAYixf6g nO1Ukvr2xrpGz2lJSmJw01Ve3OHyDZ+IOhDmgGYQmxPgmQjlHhRmZjh6KuCznf7nwVF+ agPqkZW/bpdZ02U171t2xalDMG9+4iPgUZ7JDSWnXdiF1L1XT+foi7Wi1Ga5qcN/fFcA B2JQ== X-Gm-Message-State: AOJu0Yxq0bBadzmdZZYevTjBF9yoklzqknC802cYENio9pm3Hg0yuKDR +iz0HKm5GZRCKQQT4bAPrQy4aUuMGxVVnRXvIow6w6hp/urhrp0nGl3Y9BxoHF25fRvYv/X6sG/ xGSOAoSBxjfu5MDJijYxJYzI1HtIg0BLeTNb867yhFSTbm6i9E6bwm34UgTrbHA8+Zwz+RkKOlV i08iI7GPlJmg== X-Received: by 2002:a05:6a21:2d0a:b0:1d1:1795:4d96 with SMTP id adf61e73a8af0-1d30a988a49mr3338085637.39.1726815437150; Thu, 19 Sep 2024 23:57:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHQxSywIHBy1UKBO3Leqi12BWc32jbYZ9Kbqxqn7t7z13rIBhpWf+m/uIWfuAHOy6Ab8HwyNw== X-Received: by 2002:a05:6a21:2d0a:b0:1d1:1795:4d96 with SMTP id adf61e73a8af0-1d30a988a49mr3338066637.39.1726815436695; Thu, 19 Sep 2024 23:57:16 -0700 (PDT) Received: from z790sl.. ([240f:74:7be:1:2047:317d:d246:e876]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944bc3275sm9212428b3a.198.2024.09.19.23.57.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Sep 2024 23:57:16 -0700 (PDT) From: Koichiro Den To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 0/2] CVE-2022-36402 Date: Fri, 20 Sep 2024 15:57:04 +0900 Message-ID: <20240920065711.8902-1-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impatct] drm/vmwgfx: Fix shader stage validation For multiple commands the driver was not correctly validating the shader stages resulting in possible kernel oopses. The validation code was only. if ever, checking the upper bound on the shader stages but never a lower bound (valid shader stages start at 1 not 0). Fixes kernel oopses ending up in vmw_binding_add, e.g.: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 2443 Comm: testcase Not tainted 6.3.0-rc4-vmwgfx #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:vmw_binding_add+0x4c/0x140 [vmwgfx] Code: 7e 30 49 83 ff 0e 0f 87 ea 00 00 00 4b 8d 04 7f 89 d2 89 cb 48 c1 e0 03 4c 8b b0 40 3d 93 c0 48 8b 80 48 3d 93 c0 49 0f af de <48> 03 1c d0 4c 01 e3 49 8> RSP: 0018:ffffb8014416b968 EFLAGS: 00010206 RAX: ffffffffc0933ec0 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 00000000ffffffff RSI: ffffb8014416b9c0 RDI: ffffb8014316f000 RBP: ffffb8014416b998 R08: 0000000000000003 R09: 746f6c735f726564 R10: ffffffffaaf2bda0 R11: 732e676e69646e69 R12: ffffb8014316f000 R13: ffffb8014416b9c0 R14: 0000000000000040 R15: 0000000000000006 FS: 00007fba8c0af740(0000) GS:ffff8a1277c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000007c0933eb8 CR3: 0000000118244001 CR4: 00000000003706e0 Call Trace: vmw_view_bindings_add+0xf5/0x1b0 [vmwgfx] ? ___drm_dbg+0x8a/0xb0 [drm] vmw_cmd_dx_set_shader_res+0x8f/0xc0 [vmwgfx] vmw_execbuf_process+0x590/0x1360 [vmwgfx] vmw_execbuf_ioctl+0x173/0x370 [vmwgfx] ? __drm_dev_dbg+0xb4/0xe0 [drm] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx] drm_ioctl_kernel+0xbc/0x160 [drm] drm_ioctl+0x2d2/0x580 [drm] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx] ? do_fault+0x1a6/0x420 vmw_generic_ioctl+0xbd/0x180 [vmwgfx] vmw_unlocked_ioctl+0x19/0x20 [vmwgfx] __x64_sys_ioctl+0x96/0xd0 do_syscall_64+0x5d/0x90 ? handle_mm_fault+0xe4/0x2f0 ? debug_smp_processor_id+0x1b/0x30 ? fpregs_assert_state_consistent+0x2e/0x50 ? exit_to_user_mode_prepare+0x40/0x180 ? irqentry_exit_to_user_mode+0xd/0x20 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x8b/0x180 entry_SYSCALL_64_after_hwframe+0x72/0xdc [Backport] The primary fix commit 14abdfae5082 targeted vmwgfx 2.20.0 and was successfully backported to stable trees 5.15.y and newer, hence already present in Jammy [1]. On the other hand, applying the fix to Focal, where vmwgfx version is 2.15.0, causes several conflicts due to the driver changes up to 2.20.0, highlighted by the missing "[PATCH v2 00/17] drm/vmwgfx add support for GL4" [1]. To backport it without bumping the driver version and to minimize the introduction of various changes or features from the 2.15.0 to 2.20.0 updates, I opted not to backport all dependent patches except for commit 878c6ecd3e24 ("drm/vmwgfx: Use enum to represent graphics context capabilities"); this helps preserve the structure of the primary fix with the added enum vmw_sm_type and vmw_private.sm_type, without adding any new feature. To backport 878c6ecd3e24 ("drm/vmwgfx: Use enum to represent graphics context capabilities"), - adjusted context due to missing commits: * 2bdb7380fe12 ("drm/vmwgfx: Remove a few unused functions") * ef7c7b7497d6 ("drm/vmwgfx: Also check for SVGA_CAP_DX before reading DX context support")] To backport 14abdfae5082 ("drm/vmwgfx: Fix shader stage validation"), - adjusted context due to missing commits: * c593197b6ece ("drm/vmwgfx: Fix fencing on SVGAv3") * d2e90ab3744f ("drm/vmwgfx: Support SM5 shader type in command buffer")] - manually adjusted vmw_shadertype_is_valid() so that max_allowed is to be SVGA3D_SHADERTYPE_DX10_MAX. [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039227 [2] https://lore.kernel.org/all/20200323231238.14839-1-rscheidegger.oss@gmail.com/ [Fix] Noble: not affected Jammy: fixed via stable Focal: Backport - backported an additional commit and adjusted contexts, see [Backport] Bionic: fix will be sent to esm ML Xenial: fix will be sent to esm ML Trusty: not affected [Test Case] Compile and boot tested. Boot test was done on Ubuntu Desktop under two conditions on VMware Workstation 17.6.0 build-24238078; with SM4_1 support and Pre-DX Legacy. Confirmed that with SM4_1 support, the patched vmw_cmd_dx_* functions work without issues, while stressing simply using glxgears. - vmw_cmd_dx_set_shader - vmw_cmd_dx_set_single_constant_buffer - vmw_cmd_dx_set_shader_res [Where problems could occur] This fix affects those who use vmwgfx driver, an issue with this fix would be visible to the user via unpredicted system behavior or a system crash. Zack Rusin (1): drm/vmwgfx: Fix shader stage validation drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 11 +++++++++++ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 24 ++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) Acked-by: Thibault Ferrante Acked-by: Mehmet Basaran