Commit 23e6d285 authored Dec 03, 2024 by Hans de Goede Committed by Tirui Yin Dec 03, 2024

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

mainline inclusion
from mainline-v6.12-rc2
commit d92b90f9a54d9300a6e883258e79f36dab53bfae
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2BX4
CVE: CVE-2024-50134

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d92b90f9a54d9300a6e883258e79f36dab53bfae



--------------------------------

Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with
a real VLA to fix a "memcpy: detected field-spanning write error" warning:

[   13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4)
[   13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo]
[   13.320038] Call Trace:
[   13.320173]  hgsmi_update_pointer_shape [vboxvideo]
[   13.320184]  vbox_cursor_atomic_update [vboxvideo]

Note as mentioned in the added comment it seems the original length
calculation for the allocated and send hgsmi buffer is 4 bytes too large.
Changing this is not the goal of this patch, so this behavior is kept.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240827104523.17442-1-hdegoede@redhat.com


Signed-off-by: Tirui Yin <yintirui@huawei.com>
Reviewed-by: Chen Jun <chenjun102@huawei.com>

parent 020e0507

drivers/gpu/drm/vboxvideo/hgsmi_base.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -135,7 +135,15 @@ int hgsmi_update_pointer_shape(struct gen_pool *ctx, u32 flags,
		flags \|= VBOX_MOUSE_POINTER_VISIBLE;
		}

		p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len, HGSMI_CH_VBVA,
		/*
		* The 4 extra bytes come from switching struct vbva_mouse_pointer_shape
		* from having a 4 bytes fixed array at the end to using a proper VLA
		* at the end. These 4 extra bytes were not subtracted from sizeof(*p)
		* before the switch to the VLA, so this way the behavior is unchanged.
		* Chances are these 4 extra bytes are not necessary but they are kept
		* to avoid regressions.
		*/
		p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len + 4, HGSMI_CH_VBVA,
		VBVA_MOUSE_POINTER_SHAPE);
		if (!p)
		return -ENOMEM;

drivers/gpu/drm/vboxvideo/vboxvideo.h

+1 −3

Original line number	Diff line number	Diff line
		@@ -351,10 +351,8 @@ struct vbva_mouse_pointer_shape {
		* Bytes in the gap between the AND and the XOR mask are undefined.
		* XOR mask scanlines have no gap between them and size of XOR mask is:
		* xor_len = width * 4 * height.
		*
		* Preallocate 4 bytes for accessing actual data as p->data.
		*/
		u8 data[4];
		u8 data[];
		} __packed;

		/* pointer is visible */