drm/virtio: Ensure cached capset entries are valid before copying.
virtio_gpu_get_caps_ioctl could return success with invalid data if a second caller to the function occurred after the entry was created in virtio_gpu_cmd_get_capset but prior to the virtio_gpu_cmd_capset_cb callback being called. This could leak contents of memory as well since the caps_cache allocation is done without zeroing. Signed-off-by: David Riley <davidriley@chromium.org> Link: http://patchwork.freedesktop.org/patch/msgid/20190605234423.11348-1-davidriley@chromium.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
parent
50f9495efe
commit
7fdf478a43
@ -524,7 +524,6 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
|
||||
list_for_each_entry(cache_ent, &vgdev->cap_cache, head) {
|
||||
if (cache_ent->id == args->cap_set_id &&
|
||||
cache_ent->version == args->cap_set_ver) {
|
||||
ptr = cache_ent->caps_cache;
|
||||
spin_unlock(&vgdev->display_info_lock);
|
||||
goto copy_exit;
|
||||
}
|
||||
@ -535,6 +534,7 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
|
||||
virtio_gpu_cmd_get_capset(vgdev, found_valid, args->cap_set_ver,
|
||||
&cache_ent);
|
||||
|
||||
copy_exit:
|
||||
ret = wait_event_timeout(vgdev->resp_wq,
|
||||
atomic_read(&cache_ent->is_valid), 5 * HZ);
|
||||
if (!ret)
|
||||
@ -542,7 +542,6 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
|
||||
|
||||
ptr = cache_ent->caps_cache;
|
||||
|
||||
copy_exit:
|
||||
if (copy_to_user(u64_to_user_ptr(args->addr), ptr, size))
|
||||
return -EFAULT;
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user