From patchwork Thu Mar  9 18:32:33 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1754740
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=F/Gz2IhT;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4PXd8d5Nn5z1yWx
	for <incoming@patchwork.ozlabs.org>; Fri, 10 Mar 2023 05:32:48 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1paL4C-0007g2-JT; Thu, 09 Mar 2023 18:32:40 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1paL4A-0007ez-5H
 for kernel-team@lists.ubuntu.com; Thu, 09 Mar 2023 18:32:38 +0000
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com
 [209.85.222.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DF9F73F196
 for <kernel-team@lists.ubuntu.com>; Thu,  9 Mar 2023 18:32:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1678386757;
 bh=ZASRIkp++4zAPiGEw5xJZrirBtcjbJGBa05MyhcmO/o=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=F/Gz2IhTrYjVhHsaHyOY+4oJdpzJONyqHvdwFkUyVmvGAUDrZt3FkAPzTvkd3JlnJ
 r4wmGv1cEV2PbTP+72J1HDr6ocMLqHE+lXRD6v9vNg9d1rZpEReTmgJGVfjaHNX9bD
 hK8Aiq/pbANRnGyEFU+usR9bWKJ3i32jpEKZer+Wm3tTO5vi0+lOQ4QUZW2keu8gbW
 n/NpIOyeozWEUtYigrx5L3iyKOD1wTpq5oDhXHug+f/JNWuI2mMDEknWQ2JGs+TeGp
 Xasq/dDSBSrhQKUP6R7QlZ5Y/Qet8bKiwwkdXv7GrWfaQbjGE5y5CHfad9tg6wtUSQ
 zBuuEyvEAyVGg==
Received: by mail-qk1-f199.google.com with SMTP id
 ou5-20020a05620a620500b007423e532628so1682881qkn.5
 for <kernel-team@lists.ubuntu.com>; Thu, 09 Mar 2023 10:32:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678386756;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ZASRIkp++4zAPiGEw5xJZrirBtcjbJGBa05MyhcmO/o=;
 b=bEBMyOpyw+tKl0OlW5JcB+4pvNXt0tDi7FFXFPQ3M8Yh2Z9r+YQtoCRmGnVsr6HlIn
 PzGWsmvMgXEmktCHDadmpGItgBEtyel67ae2hw+SXE1g1zyFdwnw+UTYLfAyCyk5K7v8
 XCsTtOkfquaHGb/qT6n9jbpP0sN7rq+pcFFuvhiKFIBpD0E15gOhdth+ChYRy3x+44ZZ
 GxIakQPIgZTCO/ncT0nNc6AG31IuTdgUQm+OO1cWkFWxqeI7lV0tBs1cg+g7k40C0JC3
 vjfGBdjdJAG4Zutr/AU/O2tTxGcPrrjC1NG2IwHjD6ApnlMNoyoCfuryBm/j4yDxHEl+
 5vtg==
X-Gm-Message-State: AO0yUKWiFEdM/3vkKJDVcy6ky7v4OutZmmaILfL+8I1Uy5xbzwwuzG8V
 GRFkzSGAHr/cUeJ65SO4Bg0RCSl96Jht8GWEZcdV8DG/A5op//pJdjvgpyb68unjs3fzsIwVhPb
 h1o3YMSd36yN/Sx16J/iNuDB9nrr9rVZRtvwfA//uk0cLoGPm0w==
X-Received: by 2002:a05:622a:1895:b0:3bf:b504:d5ea with SMTP id
 v21-20020a05622a189500b003bfb504d5eamr5530869qtc.48.1678386756662;
 Thu, 09 Mar 2023 10:32:36 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set8crjNmSOXg/s4Nz3RXJdkFbLqv+TGduss/Zm3Xe93PgHPxEZeymuatEh9oe8v4tvNEHQAC6w==
X-Received: by 2002:a05:622a:1895:b0:3bf:b504:d5ea with SMTP id
 v21-20020a05622a189500b003bfb504d5eamr5530844qtc.48.1678386756410;
 Thu, 09 Mar 2023 10:32:36 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:c436:4ef3:d01:d2fd])
 by smtp.gmail.com with ESMTPSA id
 s144-20020a374596000000b0073bb4312842sm13923032qka.128.2023.03.09.10.32.35
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 09 Mar 2023 10:32:36 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][OEM-5.14/OEM-5.17][PATCH] drm/vmwgfx: Validate the box size for
 the snooped cursor
Date: Thu,  9 Mar 2023 13:32:33 -0500
Message-Id: <20230309183233.52537-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230309183233.52537-1-yuxuan.luo@canonical.com>
References: <20230309183233.52537-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Zack Rusin <zackr@vmware.com>

Invalid userspace dma surface copies could potentially overflow
the memcpy from the surface to the snooped image leading to crashes.
To fix it the dimensions of the copybox have to be validated
against the expected size of the snooped cursor.

Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes")
Cc: <stable@vger.kernel.org> # v3.2+
Reviewed-by: Michael Banack <banackm@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org
(cherry picked from commit 4cf949c7fafe21e085a4ee386bb2dade9067316e)
CVE-2022-36280
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index e5fcd6cacf47a..864f2df3ff5c2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -186,7 +186,8 @@ void vmw_kms_cursor_snoop(struct vmw_surface *srf,
 	if (cmd->dma.guest.ptr.offset % PAGE_SIZE ||
 	    box->x != 0    || box->y != 0    || box->z != 0    ||
 	    box->srcx != 0 || box->srcy != 0 || box->srcz != 0 ||
-	    box->d != 1    || box_count != 1) {
+	    box->d != 1    || box_count != 1 ||
+	    box->w > 64 || box->h > 64) {
 		/* TODO handle none page aligned offsets */
 		/* TODO handle more dst & src != 0 */
 		/* TODO handle more then one copy */