Module: Mesa Branch: main Commit: 119c21308778fcbfc4a7c3f1eb00eeb556f633ef URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=119c21308778fcbfc4a7c3f1eb00eeb556f633ef
Author: Karol Herbst <[email protected]> Date: Tue Oct 10 13:23:52 2023 +0200 rusticl/memory: fix potential use-after-free in clEnqueueSVMMemFill Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM") Signed-off-by: Karol Herbst <[email protected]> Reported-by: @LingMan <[email protected]> Reviewed-by: @LingMan <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25637> --- src/gallium/frontends/rusticl/api/memory.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs index 0de2a390d4c..fbce8a776a0 100644 --- a/src/gallium/frontends/rusticl/api/memory.rs +++ b/src/gallium/frontends/rusticl/api/memory.rs @@ -2591,6 +2591,9 @@ fn enqueue_svm_mem_fill_impl( return Err(CL_INVALID_VALUE); } + // The application is allowed to reuse or free the memory referenced by `pattern` after this + // function returns so we have to make a copy. + let pattern: Vec<u8> = unsafe { slice::from_raw_parts(pattern.cast(), pattern_size).to_vec() }; create_and_queue( q, cmd_type, @@ -2602,7 +2605,7 @@ fn enqueue_svm_mem_fill_impl( while offset < size { // SAFETY: pointer are either valid or undefined behavior unsafe { - ptr::copy(pattern, svm_ptr.add(offset), pattern_size); + ptr::copy(pattern.as_ptr().cast(), svm_ptr.add(offset), pattern_size); } offset += pattern_size; }
