[PATCH] drm/vmwgfx: Avoid NULL-ptr dereference in vmw_cmd_dx_define_query()
Zack Rusin
zackr at vmware.com
Wed Mar 1 21:50:36 UTC 2023
On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
> There have been reports [1][2] that vmw_cmd_dx_define_query() can
> be called with ctx_node->ctx set to NULL, which results in undefined
> behavior in vmw_context_cotable(). Avoid this be returning an errno
> code.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann at suse.de>
> Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1
> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2
> Cc: stable at vger.kernel.org
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 6b9aa2b4ef54..1e90362add96 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private
> *dev_priv,
> struct vmw_resource *cotable_res;
> int ret;
>
> - if (!ctx_node)
> + if (!ctx_node || !ctx_node->ctx)
> return -EINVAL;
I've seen this report, but never a poc that could reproduce it. This should never
happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to
just figure out how it's uninitialised instead of just checking for something that
should be impossible but without a reproducible test that's difficult.
z
More information about the dri-devel
mailing list