drm/vmwgfx: Fix stale file descriptors on failed usercopy (!448) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

David Airlie requested to merge airlied/centos-stream-9:bz2047613 into main Jan 28, 2022

Bugzilla: http://bugzilla.redhat.com/2047613 CVE: CVE-2022-22942

commit a0f90c8815706981c483a652a6aefca51a5e191c Author: Mathias Krause minipli@grsecurity.net Date: Thu Jan 27 18:34:19 2022 +1000

drm/vmwgfx: Fix stale file descriptors on failed usercopy

A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.

Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.

Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Dave Airlie airlied@redhat.com

drm/vmwgfx: Fix stale file descriptors on failed usercopy

Merge request reports