From: Karol Herbst <kherbst@redhat.com>
Date: Tue, 10 Oct 2023 11:23:52 +0000 (+0200)
Subject: rusticl/memory: fix potential use-after-free in clEnqueueSVMMemFill
X-Git-Tag: upstream/23.3.3~1051
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=119c21308778fcbfc4a7c3f1eb00eeb556f633ef;p=platform%2Fupstream%2Fmesa.git

rusticl/memory: fix potential use-after-free in clEnqueueSVMMemFill

Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM")
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Reported-by: @LingMan <18294-LingMan@users.noreply.gitlab.freedesktop.org>
Reviewed-by: @LingMan <18294-LingMan@users.noreply.gitlab.freedesktop.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25637>
---

diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs
index 0de2a39..fbce8a7 100644
--- a/src/gallium/frontends/rusticl/api/memory.rs
+++ b/src/gallium/frontends/rusticl/api/memory.rs
@@ -2591,6 +2591,9 @@ fn enqueue_svm_mem_fill_impl(
         return Err(CL_INVALID_VALUE);
     }
 
+    // The application is allowed to reuse or free the memory referenced by `pattern` after this
+    // function returns so we have to make a copy.
+    let pattern: Vec<u8> = unsafe { slice::from_raw_parts(pattern.cast(), pattern_size).to_vec() };
     create_and_queue(
         q,
         cmd_type,
@@ -2602,7 +2605,7 @@ fn enqueue_svm_mem_fill_impl(
             while offset < size {
                 // SAFETY: pointer are either valid or undefined behavior
                 unsafe {
-                    ptr::copy(pattern, svm_ptr.add(offset), pattern_size);
+                    ptr::copy(pattern.as_ptr().cast(), svm_ptr.add(offset), pattern_size);
                 }
                 offset += pattern_size;
             }