Skip to content

Commit

Permalink
Fix use after free in get_capset_info callback.
Browse files Browse the repository at this point in the history 
[ Upstream commit e219688 ]

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Signed-off-by: Doug Horn <doughorn@google.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@doug-horn @gregkh
doug-horn authored and gregkh committed Oct 29, 2020
1 parent 4d779ac commit 0c1943f
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
2 changes: 2 additions & 0 deletions drivers/gpu/drm/virtio/virtgpu_kms.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
vgdev->capsets[i].id > 0, 5 * HZ);
if (ret == 0) {
DRM_ERROR("timed out waiting for cap set %d\n", i);
spin_lock(&vgdev->display_info_lock);
kfree(vgdev->capsets);
vgdev->capsets = NULL;
spin_unlock(&vgdev->display_info_lock);
return;
}
DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
Expand Down
10 changes: 7 additions & 3 deletions drivers/gpu/drm/virtio/virtgpu_vq.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -684,9 +684,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
int i = le32_to_cpu(cmd->capset_index);

spin_lock(&vgdev->display_info_lock);
vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
if (vgdev->capsets) {
vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
} else {
DRM_ERROR("invalid capset memory.");
}
spin_unlock(&vgdev->display_info_lock);
wake_up(&vgdev->resp_wq);
}
Expand Down

0 comments on commit 0c1943f

Please sign in to comment.