From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 16 Jun 2019 07:28:45 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.1.11~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c228d6ac10989795723b1be1619b7beb05cac2cc;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shader-leading-to-an-invalid-read.patch
	drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch
---

diff --git a/queue-4.14/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shader-leading-to-an-invalid-read.patch b/queue-4.14/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shader-leading-to-an-invalid-read.patch
new file mode 100644
index 00000000000..83386e6d4ef
--- /dev/null
+++ b/queue-4.14/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shader-leading-to-an-invalid-read.patch
@@ -0,0 +1,39 @@
+From 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e Mon Sep 17 00:00:00 2001
+From: Murray McAllister <murray.mcallister@gmail.com>
+Date: Mon, 20 May 2019 21:57:34 +1200
+Subject: drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
+
+From: Murray McAllister <murray.mcallister@gmail.com>
+
+commit 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e upstream.
+
+If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID
+of SVGA3D_INVALID_ID, and a shader type of
+SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot
+will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc()
+when the offset is calculated.
+
+Cc: <stable@vger.kernel.org>
+Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
+Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -2495,7 +2495,8 @@ static int vmw_cmd_dx_set_shader(struct
+ 
+ 	cmd = container_of(header, typeof(*cmd), header);
+ 
+-	if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX) {
++	if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX ||
++	    cmd->body.type < SVGA3D_SHADERTYPE_MIN) {
+ 		DRM_ERROR("Illegal shader type %u.\n",
+ 			  (unsigned) cmd->body.type);
+ 		return -EINVAL;
diff --git a/queue-4.14/drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch b/queue-4.14/drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch
new file mode 100644
index 00000000000..888713fc794
--- /dev/null
+++ b/queue-4.14/drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch
@@ -0,0 +1,39 @@
+From bcd6aa7b6cbfd6f985f606c6f76046d782905820 Mon Sep 17 00:00:00 2001
+From: Murray McAllister <murray.mcallister@gmail.com>
+Date: Sat, 11 May 2019 18:01:37 +1200
+Subject: drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
+
+From: Murray McAllister <murray.mcallister@gmail.com>
+
+commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream.
+
+If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
+ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
+vmw_cmd_res_check(), leading to a null pointer dereference in
+vmw_view_add().
+
+Cc: <stable@vger.kernel.org>
+Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
+Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -2735,6 +2735,10 @@ static int vmw_cmd_dx_view_define(struct
+ 	if (view_type == vmw_view_max)
+ 		return -EINVAL;
+ 	cmd = container_of(header, typeof(*cmd), header);
++	if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
++		DRM_ERROR("Invalid surface id.\n");
++		return -EINVAL;
++	}
+ 	ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
+ 				user_surface_converter,
+ 				&cmd->sid, &srf_node);
diff --git a/queue-4.14/series b/queue-4.14/series
index e913fe6191c..09ed767490f 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -38,3 +38,5 @@ selftests-timers-add-missing-fflush-stdout-calls.patch
 usbnet-ipheth-fix-racing-condition.patch
 kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch
 kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch
+drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shader-leading-to-an-invalid-read.patch
+drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch