drm/vmwgfx: Fix invalid reads in fence signaled events

jira LE-1907
cve CVE-2024-36960
Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10
commit-author Zack Rusin <[email protected]>
commit a37ef76

Correctly set the length of the drm_event to the size of the structure
that's actually used.

The length of the drm_event was set to the parent structure instead of
to the drm_vmw_event_fence which is supposed to be read. drm_read
uses the length parameter to copy the event to the user space thus
resuling in oob reads.

	Signed-off-by: Zack Rusin <[email protected]>
Fixes: 8b7de6a ("vmwgfx: Rework fence event action")
	Reported-by: [email protected] # ZDI-CAN-23566
	Cc: David Airlie <[email protected]>
CC: Daniel Vetter <[email protected]>
	Cc: Zack Rusin <[email protected]>
	Cc: Broadcom internal kernel review list <[email protected]>
	Cc: [email protected]
	Cc: [email protected]
	Cc: <[email protected]> # v3.4+
	Reviewed-by: Maaz Mombasawala <[email protected]>
	Reviewed-by: Martin Krastev <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
(cherry picked from commit a37ef76)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

drivers/gpu/drm/vmwgfx/vmwgfx_fence.c

@@ -991,7 +991,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv,
 	}
 
 	event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;
-	event->event.base.length = sizeof(*event);
+	event->event.base.length = sizeof(event->event);
 	event->event.user_data = user_data;
 
 	ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);