On Thu, Jan 27, 2022 at 11:54:37PM -0500, Zack Rusin wrote:
From: Mathias Krause minipli@grsecurity.net
commit a0f90c8815706981c483a652a6aefca51a5e191c upstream.
A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios.
Fix this by deferring the call to fd_install() until after the usercopy has succeeded.
Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") [mks: backport to v5.16 and older] Signed-off-by: Mathias Krause minipli@grsecurity.net Signed-off-by: Zack Rusin zackr@vmware.com Cc: stable@vger.kernel.org # v5.4+
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 5 ++-- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 33 +++++++++++++------------ drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 +- 4 files changed, 21 insertions(+), 21 deletions(-)
All now queued up, thanks.
greg k-h