forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/gpu/drm/vmwgfx
History
Mathias Krause ae2b20f277 drm/vmwgfx: Fix stale file descriptors on failed usercopy 
commit a0f90c8815 upstream.

A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.

Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.

Fixes: c906965dee ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-29 10:26:11 +01:00
..
device_include
Kconfig
Makefile
ttm_lock.c
ttm_lock.h
ttm_object.c
ttm_object.h
vmwgfx_binding.c
vmwgfx_binding.h
vmwgfx_blit.c
vmwgfx_bo.c
vmwgfx_cmdbuf.c
vmwgfx_cmdbuf_res.c
vmwgfx_context.c
vmwgfx_cotable.c
vmwgfx_drv.c
vmwgfx_drv.h drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:26:11 +01:00
vmwgfx_execbuf.c drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:26:11 +01:00
vmwgfx_fb.c
vmwgfx_fence.c drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:26:11 +01:00
vmwgfx_fence.h
vmwgfx_fifo.c
vmwgfx_gmr.c
vmwgfx_gmrid_manager.c
vmwgfx_ioctl.c
vmwgfx_irq.c
vmwgfx_kms.c drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:26:11 +01:00
vmwgfx_kms.h
vmwgfx_ldu.c
vmwgfx_marker.c
vmwgfx_mob.c
vmwgfx_msg.c
vmwgfx_msg.h
vmwgfx_overlay.c
vmwgfx_page_dirty.c
vmwgfx_prime.c
vmwgfx_reg.h
vmwgfx_resource.c
vmwgfx_resource_priv.h
vmwgfx_scrn.c
vmwgfx_shader.c
vmwgfx_simple_resource.c
vmwgfx_so.c
vmwgfx_so.h
vmwgfx_stdu.c
vmwgfx_streamoutput.c
vmwgfx_surface.c drm/vmwgfx: fix potential UAF in vmwgfx_surface.c 2021-09-18 13:40:27 +02:00
vmwgfx_thp.c
vmwgfx_ttm_buffer.c
vmwgfx_ttm_glue.c
vmwgfx_va.c
vmwgfx_validation.c
vmwgfx_validation.h