Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

From: Zack Rusin
Date: Thu Jul 22 2021 - 15:17:28 EST

Next message: Sean Anderson: "Re: [PATCH v5 3/3] pwm: Add support for Xilinx AXI Timer"
Previous message: Bjorn Andersson: "Re: [PATCH 29/29] arm64: dts: qcom: Harmonize DWC USB3 DT nodes name"
In reply to: Daniel Vetter: "Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c"
Next in thread: Desmond Cheong Zhi Xi: "Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:

drm_file.master should be protected by either drm_device.master_mutex
or drm_file.master_lookup_lock when being dereferenced. However,
drm_master_get is called on unprotected file_priv->master pointers in
vmw_surface_define_ioctl and vmw_gb_surface_define_internal.

This is fixed by replacing drm_master_get with drm_file_get_master.

Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@xxxxxxxxx>

Reviewed-by: Zack Rusin <zackr@xxxxxxxxxx>

Thanks for taking the time to fix this. Apart from the clear logic error, do you happen to know under what circumstances would this be hit? We have someone looking at writing some vmwgfx specific igt tests and I was wondering if I could add this to the list.

z

Next message: Sean Anderson: "Re: [PATCH v5 3/3] pwm: Add support for Xilinx AXI Timer"
Previous message: Bjorn Andersson: "Re: [PATCH 29/29] arm64: dts: qcom: Harmonize DWC USB3 DT nodes name"
In reply to: Daniel Vetter: "Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c"
Next in thread: Desmond Cheong Zhi Xi: "Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]