From 59a1e125532827ee1befae33c457c7756cc4c2e1 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 24 Oct 2024 07:16:26 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...place-fake-vla-at-end-of-vbva_mouse_.patch | 72 +++++++++++++++++++ queue-5.4/series | 2 + ...nit-value-use-in-udf_get_fileshortad.patch | 54 ++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 queue-5.4/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch create mode 100644 queue-5.4/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch diff --git a/queue-5.4/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch b/queue-5.4/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch new file mode 100644 index 00000000000..6195b10e6a4 --- /dev/null +++ b/queue-5.4/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch @@ -0,0 +1,72 @@ +From 5c3db18145034297b34caa330384d97f5346eaef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 12:45:23 +0200 +Subject: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape + with real VLA + +From: Hans de Goede + +[ Upstream commit d92b90f9a54d9300a6e883258e79f36dab53bfae ] + +Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with +a real VLA to fix a "memcpy: detected field-spanning write error" warning: + +[ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) +[ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] +[ 13.320038] Call Trace: +[ 13.320173] hgsmi_update_pointer_shape [vboxvideo] +[ 13.320184] vbox_cursor_atomic_update [vboxvideo] + +Note as mentioned in the added comment it seems the original length +calculation for the allocated and send hgsmi buffer is 4 bytes too large. +Changing this is not the goal of this patch, so this behavior is kept. + +Signed-off-by: Hans de Goede +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240827104523.17442-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +++++++++- + drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vboxvideo/hgsmi_base.c b/drivers/gpu/drm/vboxvideo/hgsmi_base.c +index 361d3193258ea..7edc9cf6a6069 100644 +--- a/drivers/gpu/drm/vboxvideo/hgsmi_base.c ++++ b/drivers/gpu/drm/vboxvideo/hgsmi_base.c +@@ -135,7 +135,15 @@ int hgsmi_update_pointer_shape(struct gen_pool *ctx, u32 flags, + flags |= VBOX_MOUSE_POINTER_VISIBLE; + } + +- p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len, HGSMI_CH_VBVA, ++ /* ++ * The 4 extra bytes come from switching struct vbva_mouse_pointer_shape ++ * from having a 4 bytes fixed array at the end to using a proper VLA ++ * at the end. These 4 extra bytes were not subtracted from sizeof(*p) ++ * before the switch to the VLA, so this way the behavior is unchanged. ++ * Chances are these 4 extra bytes are not necessary but they are kept ++ * to avoid regressions. ++ */ ++ p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len + 4, HGSMI_CH_VBVA, + VBVA_MOUSE_POINTER_SHAPE); + if (!p) + return -ENOMEM; +diff --git a/drivers/gpu/drm/vboxvideo/vboxvideo.h b/drivers/gpu/drm/vboxvideo/vboxvideo.h +index 0592004f71aa0..a03695939c62a 100644 +--- a/drivers/gpu/drm/vboxvideo/vboxvideo.h ++++ b/drivers/gpu/drm/vboxvideo/vboxvideo.h +@@ -351,10 +351,8 @@ struct vbva_mouse_pointer_shape { + * Bytes in the gap between the AND and the XOR mask are undefined. + * XOR mask scanlines have no gap between them and size of XOR mask is: + * xor_len = width * 4 * height. +- * +- * Preallocate 4 bytes for accessing actual data as p->data. + */ +- u8 data[4]; ++ u8 data[]; + } __packed; + + /* pointer is visible */ +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 18069dd1e8d..0532502b28b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -401,3 +401,5 @@ kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch kvm-s390-gaccess-refactor-access-address-range-check.patch kvm-s390-gaccess-cleanup-access-to-guest-pages.patch kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch +drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch +udf-fix-uninit-value-use-in-udf_get_fileshortad.patch diff --git a/queue-5.4/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch b/queue-5.4/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch new file mode 100644 index 00000000000..d1cb71e8ff8 --- /dev/null +++ b/queue-5.4/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch @@ -0,0 +1,54 @@ +From 7d4ee59bdf01b836e587335605b091b4928a729f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 09:46:15 +0200 +Subject: udf: fix uninit-value use in udf_get_fileshortad + +From: Gianfranco Trad + +[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] + +Check for overflow when computing alen in udf_current_aext to mitigate +later uninit-value use in udf_get_fileshortad KMSAN bug[1]. +After applying the patch reproducer did not trigger any issue[2]. + +[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 + +Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Suggested-by: Jan Kara +Signed-off-by: Gianfranco Trad +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index fef6e5e06e3f2..7d878e36759b2 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2193,12 +2193,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, + alen = udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc; + } else { ++ struct allocExtDesc *header = ++ (struct allocExtDesc *)epos->bh->b_data; ++ + if (!epos->offset) + epos->offset = sizeof(struct allocExtDesc); + ptr = epos->bh->b_data + epos->offset; +- alen = sizeof(struct allocExtDesc) + +- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> +- lengthAllocDescs); ++ if (check_add_overflow(sizeof(struct allocExtDesc), ++ le32_to_cpu(header->lengthAllocDescs), &alen)) ++ return -1; + } + + switch (iinfo->i_alloc_type) { +-- +2.43.0 + -- 2.47.2