drm/vmwgfx: Validate the box size for the snooped cursor
stable inclusion from stable-v4.19.270 commit 6b4e70a428b5a11f56db94047b68e144529fe512 category: bugfix bugzilla: 188685, https://gitee.com/src-openeuler/kernel/issues/I5QLC4 CVE:CVE-2022-36280 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b4e70a428b5a11f56db94047b68e144529fe512 -------------------------------- commit 4cf949c7 upstream. Invalid userspace dma surface copies could potentially overflow the memcpy from the surface to the snooped image leading to crashes. To fix it the dimensions of the copybox have to be validated against the expected size of the snooped cursor. Signed-off-by: NZack Rusin <zackr@vmware.com> Fixes: 2ac86371 ("vmwgfx: Snoop DMA transfers with non-covering sizes") Cc: <stable@vger.kernel.org> # v3.2+ Reviewed-by: NMichael Banack <banackm@vmware.com> Reviewed-by: NMartin Krastev <krastevm@vmware.com> Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYuyao Lin <linyuyao1@huawei.com> Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com> Reviewed-by: NWei Li <liwei391@huawei.com> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
Showing
想要评论请 注册 或 登录