rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

Linux 3.9-rc4

Browse Source 
merged: drm-i915-bounds-check-execbuffer-relocation-count.patch
This commit is contained in:
Dave Jones 2013-03-24 22:11:40 -04:00
parent cfeb4721e8
commit 1740c33c63
3 changed files with 8 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
drm-i915-bounds-check-execbuffer-relocation-count.patch
View File

@ -1,100 +0,0 @@
Delivered-To: jwboyer@gmail.com
Received: by 10.76.169.233 with SMTP id ah9csp107244oac;
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048;
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12;
Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1754633Ab3CLAbx (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
Mon, 11 Mar 2013 20:31:53 -0400
Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S1754446Ab3CLAbx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
Mon, 11 Mar 2013 20:31:53 -0400
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342;
Mon, 11 Mar 2013 17:31:45 -0700
Date: Mon, 11 Mar 2013 17:31:45 -0700
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
David Airlie <airlied@linux.ie>,
dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org,
Julien Tinnes <jln@google.com>, marcheu@chromium.org
Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count
Message-ID: <20130312003145.GA28993@www.outflux.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.
CVE-2013-0913
v3: collapse test, improve comment
v2: move check into validate_exec_list
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Pinkie Pie
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index b3a40ee..094ba41 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
int count)
{
int i;
+ int relocs_total = 0;
+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)
return -EINVAL;
- /* First check for malicious input causing overflow */
- if (exec[i].relocation_count >
- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
+ /* First check for malicious input causing overflow in
+ * the worst case where we need to allocate the entire
+ * relocation tree as a single array.
+ */
+ if (exec[i].relocation_count > relocs_max - relocs_total)
return -EINVAL;
+ relocs_total += exec[i].relocation_count;
length = exec[i].relocation_count *
sizeof(struct drm_i915_gem_relocation_entry);
--
1.7.9.5
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

16
kernel.spec
View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and # For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
# #
%global baserelease 2 %global baserelease 1
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -93,9 +93,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1) # The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1))) %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level # The rc snapshot level
%define rcrev 3 %define rcrev 4
# The git snapshot level # The git snapshot level
%define gitrev 1 %define gitrev 0
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -734,9 +734,6 @@ Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
#rhbz 914737 #rhbz 914737
Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
#CVE-2013-0913 rhbz 920471 920529
Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
#rhbz 856863 892599 #rhbz 856863 892599
Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch
Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
@ -1441,9 +1438,6 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
#rhbz 914737 #rhbz 914737
ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
#CVE-2013-0913 rhbz 920471 920529
ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
#rhbz 856863 892599 #rhbz 856863 892599
ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch
ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
@ -2295,6 +2289,10 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Sun Mar 24 2013 Dave Jones <davej@redhat.com> -3.9.0-0.rc4.git0.1
- Linux 3.9-rc4
merged: drm-i915-bounds-check-execbuffer-relocation-count.patch
* Sun Mar 24 2013 Peter Robinson <pbrobinson@fedoraproject.org> * Sun Mar 24 2013 Peter Robinson <pbrobinson@fedoraproject.org>
- Update ARM config for OMAP/mvebu/lpae - Update ARM config for OMAP/mvebu/lpae

1
sources
View File

@ -1,3 +1,4 @@
1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz
f7e97476e1ba31c3bb666b442fcb75dd patch-3.9-rc3.xz f7e97476e1ba31c3bb666b442fcb75dd patch-3.9-rc3.xz
95c3a8605dc96802e2dfe86a2655840c patch-3.9-rc3-git1.xz 95c3a8605dc96802e2dfe86a2655840c patch-3.9-rc3-git1.xz
8106d3a1c94ea6eb726e62c167a794da patch-3.9-rc4.xz