Linux v4.10-rc5-367-g1b1bc42

This commit is contained in:
Justin M. Forbes 2017-01-27 16:22:07 -06:00
parent f68a1a5b94
commit 94ee8d4cda
4 changed files with 6 additions and 88 deletions

View File

@ -1,82 +0,0 @@
From: Eric Anholt <eric@anholt.net>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
allocation layout.
Date: Wed, 18 Jan 2017 07:20:49 +1100
We copy the unvalidated ioctl arguments from the user into kernel
temporary memory to run the validation from, to avoid a race where the
user updates the unvalidate contents in between validating them and
copying them into the validated BO.
However, in setting up the layout of the kernel side, we failed to
check one of the additions (the roundup() for shader_rec_offset)
against integer overflow, allowing a nearly MAX_UINT value of
bin_cl_size to cause us to under-allocate the temporary space that we
then copy_from_user into.
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
---
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index db920771bfb5..c5fe3554858e 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
args->shader_rec_count);
struct vc4_bo *bo;
- if (uniforms_offset < shader_rec_offset ||
+ if (shader_rec_offset < args->bin_cl_size ||
+ uniforms_offset < shader_rec_offset ||
exec_size < uniforms_offset ||
args->shader_rec_count >= (UINT_MAX /
sizeof(struct vc4_shader_state)) ||
--
2.11.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
From: Eric Anholt <eric@anholt.net>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
Date: Wed, 18 Jan 2017 07:20:50 +1100
By failing to set the errno, we'd continue on to trying to set up the
RCL, and then oops on trying to dereference the tile_bo that binning
validation should have set up.
Reported-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
---
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index c5fe3554858e..ab3016982466 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
sizeof(struct vc4_shader_state)) ||
temp_size < exec_size) {
DRM_ERROR("overflow in exec arguments\n");
+ ret = -EINVAL;
goto fail;
}
--
2.11.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

2
gitrev
View File

@ -1 +1 @@
ff9f8a7cf935468a94d9927c68b00daae701667e
1b1bc42c1692e9b62756323c675a44cb1a1f9dbd

View File

@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 5
# The git snapshot level
%define gitrev 3
%define gitrev 4
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@ -593,9 +593,6 @@ Patch851: Armada-trace-build-fix.patch
# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
# END OF PATCH DEFINITIONS
%endif
@ -2166,6 +2163,9 @@ fi
#
#
%changelog
* Fri Jan 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git4.1
- Linux v4.10-rc5-367-g1b1bc42
* Thu Jan 26 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git3.1
- Linux v4.10-rc5-122-gff9f8a7

View File

@ -1,4 +1,4 @@
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
SHA512 (patch-4.10-rc5.xz) = 5c51bce76af4e6f4637aaa059a9211c958d3d26332ef9efab421586069b1df5610b781908359da325dd114c9a6567f45be45a3c6bae6830586af69669d05910a
SHA512 (patch-4.10-rc5-git3.xz) = e4510851b1bc53e6e34226642386ed5fe2fbca1341a335bb80acbd8535410fb4a218616435e8a3578e4e3d3b4119d021d32643744c85c1287a4da2bab8af2123
SHA512 (patch-4.10-rc5-git4.xz) = 7375743789e8fb13bacb256290bd3e7c38ff0ee02875705b67a16e32fc72b4cbb99014d6be48e082f4bf02bcbcc2aae27c7f6c8087f66b5732007aa559254d6f