Linux 3.9-rc4
merged: drm-i915-bounds-check-execbuffer-relocation-count.patch
This commit is contained in:
parent
cfeb4721e8
commit
1740c33c63
@ -1,100 +0,0 @@
|
||||
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.169.233 with SMTP id ah9csp107244oac;
|
||||
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
|
||||
X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048;
|
||||
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
|
||||
Return-Path: <linux-kernel-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12;
|
||||
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
|
||||
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1754633Ab3CLAbx (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
|
||||
Mon, 11 Mar 2013 20:31:53 -0400
|
||||
Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net"
|
||||
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
||||
id S1754446Ab3CLAbx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
|
||||
Mon, 11 Mar 2013 20:31:53 -0400
|
||||
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
|
||||
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342;
|
||||
Mon, 11 Mar 2013 17:31:45 -0700
|
||||
Date: Mon, 11 Mar 2013 17:31:45 -0700
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
|
||||
David Airlie <airlied@linux.ie>,
|
||||
dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org,
|
||||
Julien Tinnes <jln@google.com>, marcheu@chromium.org
|
||||
Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count
|
||||
Message-ID: <20130312003145.GA28993@www.outflux.net>
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=us-ascii
|
||||
Content-Disposition: inline
|
||||
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
||||
X-HELO: www.outflux.net
|
||||
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
|
||||
Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
|
||||
It is possible to wrap the counter used to allocate the buffer for
|
||||
relocation copies. This could lead to heap writing overflows.
|
||||
|
||||
CVE-2013-0913
|
||||
|
||||
v3: collapse test, improve comment
|
||||
v2: move check into validate_exec_list
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Pinkie Pie
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
index b3a40ee..094ba41 100644
|
||||
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
|
||||
int count)
|
||||
{
|
||||
int i;
|
||||
+ int relocs_total = 0;
|
||||
+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
|
||||
@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
|
||||
if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)
|
||||
return -EINVAL;
|
||||
|
||||
- /* First check for malicious input causing overflow */
|
||||
- if (exec[i].relocation_count >
|
||||
- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
|
||||
+ /* First check for malicious input causing overflow in
|
||||
+ * the worst case where we need to allocate the entire
|
||||
+ * relocation tree as a single array.
|
||||
+ */
|
||||
+ if (exec[i].relocation_count > relocs_max - relocs_total)
|
||||
return -EINVAL;
|
||||
+ relocs_total += exec[i].relocation_count;
|
||||
|
||||
length = exec[i].relocation_count *
|
||||
sizeof(struct drm_i915_gem_relocation_entry);
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
--
|
||||
Kees Cook
|
||||
Chrome OS Security
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
16
kernel.spec
16
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -93,9 +93,9 @@ Summary: The Linux kernel
|
||||
# The next upstream release sublevel (base_sublevel+1)
|
||||
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
||||
# The rc snapshot level
|
||||
%define rcrev 3
|
||||
%define rcrev 4
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 0
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 3.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -734,9 +734,6 @@ Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
#rhbz 914737
|
||||
Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
#rhbz 856863 892599
|
||||
Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch
|
||||
Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
|
||||
@ -1441,9 +1438,6 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
#rhbz 914737
|
||||
ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
#rhbz 856863 892599
|
||||
ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch
|
||||
ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
|
||||
@ -2295,6 +2289,10 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Sun Mar 24 2013 Dave Jones <davej@redhat.com> -3.9.0-0.rc4.git0.1
|
||||
- Linux 3.9-rc4
|
||||
merged: drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
* Sun Mar 24 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Update ARM config for OMAP/mvebu/lpae
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user